plugx | 13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Pesoshucapu.exe

Loads dropped DLL 44 IoCs

pid	Process
1156	331317B4CAE70B90441E0A2C8FB2E6C6.tmp
740	i-record.exe
740	i-record.exe
740	i-record.exe
740	i-record.exe
740	i-record.exe
740	i-record.exe
740	i-record.exe
740	i-record.exe
4372	installer.exe
4372	installer.exe
4868	Setup3310.tmp
4868	Setup3310.tmp
4372	Process not Found
5260	MsiExec.exe
5260	MsiExec.exe
5572	rUNdlL32.eXe
5076	MsiExec.exe
5432	LabPicV3.tmp
5076	MsiExec.exe
5584	lylal220.tmp
5316	LogonUI.exe
5316	LogonUI.exe
5076	MsiExec.exe
5076	MsiExec.exe
5076	MsiExec.exe
5076	MsiExec.exe
4556	Nomozhashoxo.exe
5076	MsiExec.exe
5076	MsiExec.exe
5076	MsiExec.exe
5076	MsiExec.exe
4372	Process not Found
5076	MsiExec.exe
5076	MsiExec.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe
984	i-record.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6563883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Bedisevita.exe\""	3316505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Wehobywohi.exe\""	4_177039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Faejikefaeby.exe\""	Balti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
93	ipinfo.io
115	ip-api.com
56	ipinfo.io
60	ipinfo.io
88	ip-api.com
90	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 5796	2256	svchost.exe	190
PID 5952 set thread context of 5580	5952	Setup.exe	155
PID 2256 set thread context of 5912	2256	svchost.exe	164

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-4AG0O.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\avformat-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-1V300.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-4SKAV.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-DNU5B.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Bedisevita.exe.config	3316505.exe
File created	C:\Program Files (x86)\Windows Sidebar\Wehobywohi.exe	4_177039.exe
File created	C:\Program Files (x86)\recording\is-MD9M1.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files\Mozilla Firefox\BPNEGJIQBI\prolab.exe.config	3316505.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\recording\is-5T437.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	Setup.exe
File created	C:\Program Files\Mozilla Firefox\BPNEGJIQBI\prolab.exe	3316505.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-U73LT.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-94SSS.tmp	irecord.tmp
File created	C:\Program Files (x86)\Windows Sidebar\Wehobywohi.exe.config	4_177039.exe
File created	C:\Program Files (x86)\recording\is-E7A3H.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-UVNJC.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-5MM23.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-5T6PJ.tmp	irecord.tmp
File created	C:\Program Files\Google\AMJJKRXEAR\irecord.exe.config	Balti.exe
File created	C:\Program Files (x86)\recording\is-7OARC.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-OAJPC.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-5N4EV.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe	Setup.exe
File created	C:\Program Files\Uninstall Information\XSEOFOPUCV\irecord.exe.config	4_177039.exe
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-CJELC.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-80CUK.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\recording\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\Google\Faejikefaeby.exe.config	Balti.exe
File created	C:\Program Files (x86)\recording\is-RCH0A.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-QFGT1.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-L5UFC.tmp	irecord.tmp
File created	C:\Program Files (x86)\Picture Lab\is-R1LLT.tmp	prolab.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Bedisevita.exe	3316505.exe
File created	C:\Program Files (x86)\recording\is-K9DJL.tmp	irecord.tmp
File created	C:\Program Files\Uninstall Information\XSEOFOPUCV\irecord.exe	4_177039.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	Setup.exe
File created	C:\Program Files (x86)\recording\is-5KUHF.tmp	irecord.tmp
File created	C:\Program Files\Google\AMJJKRXEAR\irecord.exe	Balti.exe
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8F78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI921A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI910F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBC2.tmp	msiexec.exe
File created	C:\Windows\Installer\f747cc7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8207.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB884.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f747cc7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA844.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD09.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD4C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DllHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5416	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	DllHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	DllHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	DllHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	DllHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	DllHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	DllHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	DllHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	DllHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	Nomozhashoxo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "6176"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000004a0b0d0b6cea15886ce4e5de92af6420c02651baab89988c3e067657984e8094d451533ddfe32dd34deddf0297d2edda5e8a91910505c3baf2d918f5602	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rUNdlL32.eXe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Pesoshucapu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Pesoshucapu.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4168	PING.EXE

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	152	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	irecord.tmp
3392	irecord.tmp
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe
1164	Pylopalylae.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Balti.exe
Token: SeDebugPrivilege	2160	Pesoshucapu.exe
Token: SeDebugPrivilege	1164	Pylopalylae.exe
Token: SeDebugPrivilege	5804	MicrosoftEdge.exe
Token: SeDebugPrivilege	5804	MicrosoftEdge.exe
Token: SeDebugPrivilege	5804	MicrosoftEdge.exe
Token: SeDebugPrivilege	5804	MicrosoftEdge.exe
Token: SeDebugPrivilege	5804	MicrosoftEdge.exe
Token: SeDebugPrivilege	4596	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4596	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4596	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4596	MicrosoftEdgeCP.exe
Token: SeSecurityPrivilege	4980	msiexec.exe
Token: SeCreateTokenPrivilege	4372	Process not Found
Token: SeAssignPrimaryTokenPrivilege	4372	Process not Found
Token: SeLockMemoryPrivilege	4372	Process not Found
Token: SeIncreaseQuotaPrivilege	4372	Process not Found
Token: SeMachineAccountPrivilege	4372	Process not Found
Token: SeTcbPrivilege	4372	Process not Found
Token: SeSecurityPrivilege	4372	Process not Found
Token: SeTakeOwnershipPrivilege	4372	Process not Found
Token: SeLoadDriverPrivilege	4372	Process not Found
Token: SeSystemProfilePrivilege	4372	Process not Found
Token: SeSystemtimePrivilege	4372	Process not Found
Token: SeProfSingleProcessPrivilege	4372	Process not Found
Token: SeIncBasePriorityPrivilege	4372	Process not Found
Token: SeCreatePagefilePrivilege	4372	Process not Found
Token: SeCreatePermanentPrivilege	4372	Process not Found
Token: SeBackupPrivilege	4372	Process not Found
Token: SeRestorePrivilege	4372	Process not Found
Token: SeShutdownPrivilege	4372	Process not Found
Token: SeDebugPrivilege	4372	Process not Found
Token: SeAuditPrivilege	4372	Process not Found
Token: SeSystemEnvironmentPrivilege	4372	Process not Found
Token: SeChangeNotifyPrivilege	4372	Process not Found
Token: SeRemoteShutdownPrivilege	4372	Process not Found
Token: SeUndockPrivilege	4372	Process not Found
Token: SeSyncAgentPrivilege	4372	Process not Found
Token: SeEnableDelegationPrivilege	4372	Process not Found
Token: SeManageVolumePrivilege	4372	Process not Found
Token: SeImpersonatePrivilege	4372	Process not Found
Token: SeCreateGlobalPrivilege	4372	Process not Found
Token: SeCreateTokenPrivilege	4372	Process not Found
Token: SeAssignPrimaryTokenPrivilege	4372	Process not Found
Token: SeLockMemoryPrivilege	4372	Process not Found
Token: SeIncreaseQuotaPrivilege	4372	Process not Found
Token: SeMachineAccountPrivilege	4372	Process not Found
Token: SeTcbPrivilege	4372	Process not Found
Token: SeSecurityPrivilege	4372	Process not Found
Token: SeTakeOwnershipPrivilege	4372	Process not Found
Token: SeLoadDriverPrivilege	4372	Process not Found
Token: SeSystemProfilePrivilege	4372	Process not Found
Token: SeSystemtimePrivilege	4372	Process not Found
Token: SeProfSingleProcessPrivilege	4372	Process not Found
Token: SeIncBasePriorityPrivilege	4372	Process not Found
Token: SeCreatePagefilePrivilege	4372	Process not Found
Token: SeCreatePermanentPrivilege	4372	Process not Found
Token: SeBackupPrivilege	4372	Process not Found
Token: SeRestorePrivilege	4372	Process not Found
Token: SeShutdownPrivilege	4372	Process not Found
Token: SeDebugPrivilege	4372	Process not Found
Token: SeAuditPrivilege	4372	Process not Found
Token: SeSystemEnvironmentPrivilege	4372	Process not Found
Token: SeChangeNotifyPrivilege	4372	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3392	irecord.tmp
4372	installer.exe
4868	Setup3310.tmp
5316	LogonUI.exe
5452	prolab.tmp
5864	irecord.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5804	MicrosoftEdge.exe
4436	MicrosoftEdgeCP.exe
4436	MicrosoftEdgeCP.exe
5316	LogonUI.exe
5316	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1156	3016	331317B4CAE70B90441E0A2C8FB2E6C6.exe	74
PID 3016 wrote to memory of 1156	3016	331317B4CAE70B90441E0A2C8FB2E6C6.exe	74
PID 3016 wrote to memory of 1156	3016	331317B4CAE70B90441E0A2C8FB2E6C6.exe	74
PID 1156 wrote to memory of 2968	1156	331317B4CAE70B90441E0A2C8FB2E6C6.tmp	77
PID 1156 wrote to memory of 2968	1156	331317B4CAE70B90441E0A2C8FB2E6C6.tmp	77
PID 2968 wrote to memory of 3144	2968	Balti.exe	80
PID 2968 wrote to memory of 3144	2968	Balti.exe	80
PID 2968 wrote to memory of 3144	2968	Balti.exe	80
PID 3144 wrote to memory of 3392	3144	irecord.exe	81
PID 3144 wrote to memory of 3392	3144	irecord.exe	81
PID 3144 wrote to memory of 3392	3144	irecord.exe	81
PID 2968 wrote to memory of 2160	2968	Balti.exe	82
PID 2968 wrote to memory of 2160	2968	Balti.exe	82
PID 2968 wrote to memory of 1164	2968	Balti.exe	83
PID 2968 wrote to memory of 1164	2968	Balti.exe	83
PID 3392 wrote to memory of 740	3392	irecord.tmp	85
PID 3392 wrote to memory of 740	3392	irecord.tmp	85
PID 3392 wrote to memory of 740	3392	irecord.tmp	85
PID 1164 wrote to memory of 3532	1164	Pylopalylae.exe	88
PID 1164 wrote to memory of 3532	1164	Pylopalylae.exe	88
PID 3532 wrote to memory of 5712	3532	cmd.exe	90
PID 3532 wrote to memory of 5712	3532	cmd.exe	90
PID 3532 wrote to memory of 5712	3532	cmd.exe	90
PID 1164 wrote to memory of 5848	1164	Pylopalylae.exe	92
PID 1164 wrote to memory of 5848	1164	Pylopalylae.exe	92
PID 1164 wrote to memory of 2864	1164	Pylopalylae.exe	95
PID 1164 wrote to memory of 2864	1164	Pylopalylae.exe	95
PID 1164 wrote to memory of 4268	1164	Pylopalylae.exe	97
PID 1164 wrote to memory of 4268	1164	Pylopalylae.exe	97
PID 2864 wrote to memory of 4372	2864	cmd.exe	99
PID 2864 wrote to memory of 4372	2864	cmd.exe	99
PID 2864 wrote to memory of 4372	2864	cmd.exe	99
PID 1164 wrote to memory of 4724	1164	Pylopalylae.exe	102
PID 1164 wrote to memory of 4724	1164	Pylopalylae.exe	102
PID 4724 wrote to memory of 4816	4724	cmd.exe	104
PID 4724 wrote to memory of 4816	4724	cmd.exe	104
PID 4724 wrote to memory of 4816	4724	cmd.exe	104
PID 4816 wrote to memory of 4868	4816	Setup3310.exe	105
PID 4816 wrote to memory of 4868	4816	Setup3310.exe	105
PID 4816 wrote to memory of 4868	4816	Setup3310.exe	105
PID 4980 wrote to memory of 5260	4980	msiexec.exe	108
PID 4980 wrote to memory of 5260	4980	msiexec.exe	108
PID 4980 wrote to memory of 5260	4980	msiexec.exe	108
PID 1164 wrote to memory of 5284	1164	Pylopalylae.exe	109
PID 1164 wrote to memory of 5284	1164	Pylopalylae.exe	109
PID 5284 wrote to memory of 5400	5284	cmd.exe	170
PID 5284 wrote to memory of 5400	5284	cmd.exe	170
PID 5284 wrote to memory of 5400	5284	cmd.exe	170
PID 5400 wrote to memory of 5572	5400	DllHost.exe	112
PID 5400 wrote to memory of 5572	5400	DllHost.exe	112
PID 5400 wrote to memory of 5572	5400	DllHost.exe	112
PID 4372 wrote to memory of 5616	4372	Process not Found	113
PID 4372 wrote to memory of 5616	4372	Process not Found	113
PID 4372 wrote to memory of 5616	4372	Process not Found	113
PID 5572 wrote to memory of 2256	5572	rUNdlL32.eXe	71
PID 1164 wrote to memory of 5668	1164	Pylopalylae.exe	114
PID 1164 wrote to memory of 5668	1164	Pylopalylae.exe	114
PID 5572 wrote to memory of 2852	5572	rUNdlL32.eXe	6
PID 2256 wrote to memory of 5796	2256	svchost.exe	190
PID 2256 wrote to memory of 5796	2256	svchost.exe	190
PID 2256 wrote to memory of 5796	2256	svchost.exe	190
PID 5572 wrote to memory of 68	5572	rUNdlL32.eXe	55
PID 5572 wrote to memory of 2432	5572	rUNdlL32.eXe	25
PID 5572 wrote to memory of 2424	5572	rUNdlL32.eXe	26

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\331317B4CAE70B90441E0A2C8FB2E6C6.exe
"C:\Users\Admin\AppData\Local\Temp\331317B4CAE70B90441E0A2C8FB2E6C6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\is-H2VBJ.tmp\331317B4CAE70B90441E0A2C8FB2E6C6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H2VBJ.tmp\331317B4CAE70B90441E0A2C8FB2E6C6.tmp" /SL5="$4007A,140559,56832,C:\Users\Admin\AppData\Local\Temp\331317B4CAE70B90441E0A2C8FB2E6C6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\is-4FHOJ.tmp\Balti.exe
    "C:\Users\Admin\AppData\Local\Temp\is-4FHOJ.tmp\Balti.exe" /S /UID=irecordch3
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Program Files\Google\AMJJKRXEAR\irecord.exe
      "C:\Program Files\Google\AMJJKRXEAR\irecord.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\is-A3CJE.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A3CJE.tmp\irecord.tmp" /SL5="$7005E,6139911,56832,C:\Program Files\Google\AMJJKRXEAR\irecord.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:740
  - - C:\Users\Admin\AppData\Local\Temp\4d-95f6c-294-4c79a-14b0dbd274ce2\Pesoshucapu.exe
      "C:\Users\Admin\AppData\Local\Temp\4d-95f6c-294-4c79a-14b0dbd274ce2\Pesoshucapu.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\d9-30501-6fc-6fb90-238a14895b5b9\Pylopalylae.exe
      "C:\Users\Admin\AppData\Local\Temp\d9-30501-6fc-6fb90-238a14895b5b9\Pylopalylae.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xscwrxjd.xlg\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Users\Admin\AppData\Local\Temp\xscwrxjd.xlg\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\xscwrxjd.xlg\001.exe
        6⤵
        Executes dropped EXE
        
        PID:5712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zr4cwa3v.tou\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:5848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s1n4usrh.udx\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\s1n4usrh.udx\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\s1n4usrh.udx\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4372
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s1n4usrh.udx\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s1n4usrh.udx\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621531114 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aegv4pxr.zkg\hbggg.exe & exit
        5⤵
        
        PID:4268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jctrjpyd.cap\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Users\Admin\AppData\Local\Temp\jctrjpyd.cap\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\jctrjpyd.cap\Setup3310.exe /Verysilent /subid=623
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\is-R66HE.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R66HE.tmp\Setup3310.tmp" /SL5="$20300,138429,56832,C:\Users\Admin\AppData\Local\Temp\jctrjpyd.cap\Setup3310.exe" /Verysilent /subid=623
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\is-N3B0F.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N3B0F.tmp\Setup.exe" /Verysilent
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4852
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        Executes dropped EXE
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        Executes dropped EXE
        
        PID:5176
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        9⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Users\Admin\AppData\Roaming\8011998.exe
        
        "C:\Users\Admin\AppData\Roaming\8011998.exe"
        10⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Users\Admin\AppData\Roaming\6563883.exe
        
        "C:\Users\Admin\AppData\Roaming\6563883.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4292
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        11⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\7793598.exe
        
        "C:\Users\Admin\AppData\Roaming\7793598.exe"
        10⤵
        Executes dropped EXE
        
        PID:6140
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        10⤵
        
        PID:4556
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        Executes dropped EXE
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\is-PL82D.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PL82D.tmp\LabPicV3.tmp" /SL5="$203C2,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\is-P3DID.tmp\3316505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-P3DID.tmp\3316505.exe" /S /UID=lab214
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4800
        
        C:\Program Files\Mozilla Firefox\BPNEGJIQBI\prolab.exe
        
        "C:\Program Files\Mozilla Firefox\BPNEGJIQBI\prolab.exe" /VERYSILENT
        12⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\is-NSGJI.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NSGJI.tmp\prolab.tmp" /SL5="$403BA,575243,216576,C:\Program Files\Mozilla Firefox\BPNEGJIQBI\prolab.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\5d-1e3d7-1ce-968bd-faff191f5a309\Nomozhashoxo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5d-1e3d7-1ce-968bd-faff191f5a309\Nomozhashoxo.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1944
        13⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\52-f633e-afd-a4bbf-40f94ebbaeddf\Keshejepila.exe
        
        "C:\Users\Admin\AppData\Local\Temp\52-f633e-afd-a4bbf-40f94ebbaeddf\Keshejepila.exe"
        12⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        Executes dropped EXE
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\is-N5S9Q.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N5S9Q.tmp\lylal220.tmp" /SL5="$2041E,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\is-JD291.tmp\4_177039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JD291.tmp\4_177039.exe" /S /UID=lylal220
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4860
        
        C:\Program Files\Uninstall Information\XSEOFOPUCV\irecord.exe
        
        "C:\Program Files\Uninstall Information\XSEOFOPUCV\irecord.exe" /VERYSILENT
        12⤵
        Executes dropped EXE
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\is-D35GV.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D35GV.tmp\irecord.tmp" /SL5="$303DC,6139911,56832,C:\Program Files\Uninstall Information\XSEOFOPUCV\irecord.exe" /VERYSILENT
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5864
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\02-1d4b4-5f7-a7e91-eb91bac50838b\Wipaeperyre.exe
        
        "C:\Users\Admin\AppData\Local\Temp\02-1d4b4-5f7-a7e91-eb91bac50838b\Wipaeperyre.exe"
        12⤵
        Executes dropped EXE
        
        PID:6060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1936
        13⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\ac-22562-c63-89d80-4c8243ec9c2dd\Kerylushaeje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ac-22562-c63-89d80-4c8243ec9c2dd\Kerylushaeje.exe"
        12⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
        9⤵
        Executes dropped EXE
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\is-LICHD.tmp\Versium.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LICHD.tmp\Versium.tmp" /SL5="$30422,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
        10⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\is-0RICD.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0RICD.tmp\Setup.exe" /Verysilent
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:5580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pho5h3gy.lvp\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\pho5h3gy.lvp\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\pho5h3gy.lvp\google-game.exe
        6⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
        7⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zvklsqtc.cu5\setup.exe & exit
        5⤵
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\zvklsqtc.cu5\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\zvklsqtc.cu5\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\zvklsqtc.cu5\setup.exe"
        7⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:4168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dlr55ujv.nrp\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:4292
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c4aefckx.5hc\005.exe & exit
        5⤵
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\c4aefckx.5hc\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\c4aefckx.5hc\005.exe
        6⤵
        Executes dropped EXE
        
        PID:4280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  PID:5796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5804

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A20174F53A7FBE2384DB15CF1D91C20D C
  2⤵
  - Loads dropped DLL
  PID:5260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 13698B5B7E7A66156F609ACB32100C9E
  2⤵
  - Loads dropped DLL
  PID:5076
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1C8997A77AB79932930642482B259FD E Global\MSI0000
  2⤵
  PID:5256
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E95BDBAA9D4897BF0D9E7AF9946E4545 E Global\MSI0000
  2⤵
  PID:2268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CC7132ED8D084E6CCA22BE3D46192FF0
  2⤵
  PID:2232

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad9055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:5324

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:5520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:5796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery