amadey | bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Size

1.9MB
MD5

eaa443f37443cb7221d63e0891243384
SHA1

d3242326b2ac1ae6e9817a49df33c3a79e209aee
SHA256

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
SHA512

8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
SSDEEP

49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ

Score

10^/10

amadey redline stealc e76b71 newbuild newlogs zov discovery evasion execution infostealer spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe	family_redline
behavioral1/memory/1036-321-0x00000000012B0000-0x0000000001300000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe	family_redline
behavioral1/memory/1656-356-0x0000000001120000-0x0000000001170000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exebef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3064 powershell.exe
Downloads MZ/PE file

pid	process
3064	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe

Executes dropped EXE 10 IoCs

Processes:

axplong.exestreamer.exeTpWWMUpe0LEV.exeFreshbuild.exeHkbsse.execrypt6.exenewlogs.exestealc_zov.exenewbuild.exeZharkBOT.exe

pid process

2292 axplong.exe
1376 streamer.exe
2060 TpWWMUpe0LEV.exe
2444 Freshbuild.exe
2288 Hkbsse.exe
2816 crypt6.exe
1036 newlogs.exe
1908 stealc_zov.exe
1656 newbuild.exe
804 ZharkBOT.exe

pid	process
2292	axplong.exe
1376	streamer.exe
2060	TpWWMUpe0LEV.exe
2444	Freshbuild.exe
2288	Hkbsse.exe
2816	crypt6.exe
1036	newlogs.exe
1908	stealc_zov.exe
1656	newbuild.exe
804	ZharkBOT.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	axplong.exe

Loads dropped DLL 19 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeTpWWMUpe0LEV.exeFreshbuild.exeWerFault.exestealc_zov.exe

pid	process
2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
2292	axplong.exe
2292	axplong.exe
2292	axplong.exe
2060	TpWWMUpe0LEV.exe
2292	axplong.exe
2444	Freshbuild.exe
2292	axplong.exe
2292	axplong.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2292	axplong.exe
2292	axplong.exe
2292	axplong.exe
2292	axplong.exe
2292	axplong.exe
1908	stealc_zov.exe
1908	stealc_zov.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 bitbucket.org
5 bitbucket.org
56 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exe

pid process

2940 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
2292 axplong.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ZharkBOT.exe

description pid process target process

PID 804 set thread context of 1964 804 ZharkBOT.exe iexplore.exe
Drops file in Windows directory 2 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeFreshbuild.exe

description ioc process

File created C:\Windows\Tasks\axplong.job bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
File created C:\Windows\Tasks\Hkbsse.job Freshbuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2676 2816 WerFault.exe crypt6.exe

flow	ioc
4	bitbucket.org
5	bitbucket.org
56	bitbucket.org

description	pid	process	target process
PID 804 set thread context of 1964	804	ZharkBOT.exe	iexplore.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe

pid	pid_target	process	target process
2676	2816	WerFault.exe	crypt6.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stealc_zov.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_zov.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_zov.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exenewbuild.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	newbuild.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	newbuild.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1936 regedit.exe

pid	process
1936	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exestealc_zov.exepowershell.exenewbuild.exe

pid	process
2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
2292	axplong.exe
1908	stealc_zov.exe
3064	powershell.exe
1656	newbuild.exe
1656	newbuild.exe
1656	newbuild.exe
1656	newbuild.exe
1656	newbuild.exe
1908	stealc_zov.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exenewbuild.exe

description pid process

Token: SeDebugPrivilege 3064 powershell.exe
Token: SeDebugPrivilege 1656 newbuild.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeFreshbuild.exe

pid process

2940 bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
2444 Freshbuild.exe

description	pid	process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1656	newbuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exeaxplong.exeFreshbuild.execrypt6.exeZharkBOT.exe

description	pid	process	target process
PID 2940 wrote to memory of 2292	2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2940 wrote to memory of 2292	2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2940 wrote to memory of 2292	2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2940 wrote to memory of 2292	2940	bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe	axplong.exe
PID 2292 wrote to memory of 1376	2292	axplong.exe	streamer.exe
PID 2292 wrote to memory of 1376	2292	axplong.exe	streamer.exe
PID 2292 wrote to memory of 1376	2292	axplong.exe	streamer.exe
PID 2292 wrote to memory of 1376	2292	axplong.exe	streamer.exe
PID 2292 wrote to memory of 2060	2292	axplong.exe	TpWWMUpe0LEV.exe
PID 2292 wrote to memory of 2060	2292	axplong.exe	TpWWMUpe0LEV.exe
PID 2292 wrote to memory of 2060	2292	axplong.exe	TpWWMUpe0LEV.exe
PID 2292 wrote to memory of 2060	2292	axplong.exe	TpWWMUpe0LEV.exe
PID 2292 wrote to memory of 2444	2292	axplong.exe	Freshbuild.exe
PID 2292 wrote to memory of 2444	2292	axplong.exe	Freshbuild.exe
PID 2292 wrote to memory of 2444	2292	axplong.exe	Freshbuild.exe
PID 2292 wrote to memory of 2444	2292	axplong.exe	Freshbuild.exe
PID 2444 wrote to memory of 2288	2444	Freshbuild.exe	Hkbsse.exe
PID 2444 wrote to memory of 2288	2444	Freshbuild.exe	Hkbsse.exe
PID 2444 wrote to memory of 2288	2444	Freshbuild.exe	Hkbsse.exe
PID 2444 wrote to memory of 2288	2444	Freshbuild.exe	Hkbsse.exe
PID 2292 wrote to memory of 2816	2292	axplong.exe	crypt6.exe
PID 2292 wrote to memory of 2816	2292	axplong.exe	crypt6.exe
PID 2292 wrote to memory of 2816	2292	axplong.exe	crypt6.exe
PID 2292 wrote to memory of 2816	2292	axplong.exe	crypt6.exe
PID 2816 wrote to memory of 2676	2816	crypt6.exe	WerFault.exe
PID 2816 wrote to memory of 2676	2816	crypt6.exe	WerFault.exe
PID 2816 wrote to memory of 2676	2816	crypt6.exe	WerFault.exe
PID 2816 wrote to memory of 2676	2816	crypt6.exe	WerFault.exe
PID 2292 wrote to memory of 1036	2292	axplong.exe	newlogs.exe
PID 2292 wrote to memory of 1036	2292	axplong.exe	newlogs.exe
PID 2292 wrote to memory of 1036	2292	axplong.exe	newlogs.exe
PID 2292 wrote to memory of 1036	2292	axplong.exe	newlogs.exe
PID 2292 wrote to memory of 1908	2292	axplong.exe	stealc_zov.exe
PID 2292 wrote to memory of 1908	2292	axplong.exe	stealc_zov.exe
PID 2292 wrote to memory of 1908	2292	axplong.exe	stealc_zov.exe
PID 2292 wrote to memory of 1908	2292	axplong.exe	stealc_zov.exe
PID 2292 wrote to memory of 1656	2292	axplong.exe	newbuild.exe
PID 2292 wrote to memory of 1656	2292	axplong.exe	newbuild.exe
PID 2292 wrote to memory of 1656	2292	axplong.exe	newbuild.exe
PID 2292 wrote to memory of 1656	2292	axplong.exe	newbuild.exe
PID 2292 wrote to memory of 804	2292	axplong.exe	ZharkBOT.exe
PID 2292 wrote to memory of 804	2292	axplong.exe	ZharkBOT.exe
PID 2292 wrote to memory of 804	2292	axplong.exe	ZharkBOT.exe
PID 2292 wrote to memory of 804	2292	axplong.exe	ZharkBOT.exe
PID 804 wrote to memory of 3064	804	ZharkBOT.exe	powershell.exe
PID 804 wrote to memory of 3064	804	ZharkBOT.exe	powershell.exe
PID 804 wrote to memory of 3064	804	ZharkBOT.exe	powershell.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1324	804	ZharkBOT.exe	svchost.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1936	804	ZharkBOT.exe	regedit.exe
PID 804 wrote to memory of 1916	804	ZharkBOT.exe	ilasm.exe

C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe
"C:\Users\Admin\AppData\Local\Temp\bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:2676

C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
3⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:1324

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
4⤵
- Runs regedit.exe
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
4⤵
PID:1916

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d1d04473b86e86e46d65cbd9b7293cb8

SHA1
4f1e9b942247619e65ba6962e4891a67d0b49538

SHA256
8d229d2f4e5f280d9e83321a44071b1d6d109061ebcaf9f4a521e577e569c6ce

SHA512
85169073d29d4504566be72c53e9414301cb13adcb9b4d7c1d0cdd77d1e92041ea90521e9547698145ef0a23a05a944ae8fbf9837bd6eb10c586c305a4bf79f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5bfd08b5070eeb084fab913a3ca2d96a

SHA1
8cf0dac66721c220eb0b6957ff8bb39641bc6a9d

SHA256
82cd1aee727e5e1e7379d1f3fbc58b19bbbbca56f3c651db9d9730bacfd69883

SHA512
9a7070c89c6381db7253debe325c415a4a800c747bb0d8de03becf15975fc0edf16afd68f6c0cd502faae3bc97d9265c7534c442e0bb041445085a17b0c9facf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
7.7MB

MD5
2bc0db539a8fab08bf4104eb7f2de7e7

SHA1
ff4a5defedb18c93ef815434b40e19b9452ca410

SHA256
ec84ec11567566db3ba9096df164f0b7a8217d50ffab16fa3642f8f12d759b04

SHA512
ffaeb6c876d2aeda75b6576d2b307964a7b5330a0ab73352a4c95ef18ac3b1b1bfff350805553833a754582ed54215337c376bce0abd44c117b5d8a0e1468d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe
Filesize
26KB

MD5
567aea368eda0f06377ba089e83f9f05

SHA1
4f5a315c217d76df6369d89251bffa2e9210a6a0

SHA256
537a4bc027569bc26f18bfdef926111a176f702c9e6eef2555073a417d33f896

SHA512
673b380a3d81bcc5090e0ae13abe5c0466cb847e7626304762713633a70a4355d33fdc619f0cfcc78383eb90b9d8b6b3d2ed756eab87b5abb7d795ce67268947

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exe
Filesize
26KB

MD5
7b6304f1ac8f9ffe0fb9bf9dbc74cbd6

SHA1
7d4f5c73f936e476e490ba6182cd011b06769b1b

SHA256
d414465667daca42624c2ded25205ac0d0fabdc745d2fd5d279f239c193157a3

SHA512
f4e2ea2f93282e8d661dfc31a9ef894a6fcec248e8f6e07493dff231cdcecc5e39065f9fc0ef58c8233ffbea697112b379892f667bdaf9406064209194425ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exe
Filesize
2.9MB

MD5
80958a4b85453f4df82ec131554a5412

SHA1
44cefe96467895934ec9d1c2461036704c971458

SHA256
70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783

SHA512
cab01e1d63b4ff9a8d35c48fddd18b0959068510b1ca0e66997ed2d59a34b8903f23d3b3736180b52130a325eda3665f9babe2dcad91308f16526e8812fee1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.9MB

MD5
eaa443f37443cb7221d63e0891243384

SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee

SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13

SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AB0.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
memory/1036-321-0x00000000012B0000-0x0000000001300000-memory.dmp

Filesize
320KB

Download
memory/1376-224-0x000000013FA40000-0x000000014028B000-memory.dmp

Filesize
8.3MB

Download
memory/1656-356-0x0000000001120000-0x0000000001170000-memory.dmp

Filesize
320KB

Download
memory/1908-466-0x0000000001200000-0x000000000143C000-memory.dmp

Filesize
2.2MB

Download
memory/1908-384-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1908-341-0x0000000001200000-0x000000000143C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-415-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2060-241-0x0000000000CD0000-0x0000000000E02000-memory.dmp

Filesize
1.2MB

Download
memory/2292-468-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-474-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-17-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-339-0x0000000008190000-0x00000000083CC000-memory.dmp

Filesize
2.2MB

Download
memory/2292-338-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-304-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-340-0x0000000008190000-0x00000000083CC000-memory.dmp

Filesize
2.2MB

Download
memory/2292-477-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-476-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-475-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-18-0x0000000000251000-0x000000000027F000-memory.dmp

Filesize
184KB

Download
memory/2292-469-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-473-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-413-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-19-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-472-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-443-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-471-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-470-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-21-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-467-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2292-226-0x0000000000250000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2940-15-0x00000000010C0000-0x0000000001591000-memory.dmp

Filesize
4.8MB

Download
memory/2940-1-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/2940-0-0x00000000010C0000-0x0000000001591000-memory.dmp

Filesize
4.8MB

Download
memory/2940-2-0x00000000010C1000-0x00000000010EF000-memory.dmp

Filesize
184KB

Download
memory/2940-3-0x00000000010C0000-0x0000000001591000-memory.dmp

Filesize
4.8MB

Download
memory/2940-16-0x0000000007050000-0x0000000007521000-memory.dmp

Filesize
4.8MB

Download
memory/2940-5-0x00000000010C0000-0x0000000001591000-memory.dmp

Filesize
4.8MB

Download
memory/3064-405-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/3064-404-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download