amadey | 41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
Size

1.8MB
MD5

55b19090d710a3dcf61a66dfcc77e4c0
SHA1

91e38117b109fe49cb2a47d4e93940d4ac3bda9f
SHA256

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9
SHA512

bbd119d358b72ac0c19a24c9b727c579d02b4175a978060d775cedd47d0053287045d3ec482bfc08e7730e477c5c54d962a9e09ab01429136b1f93608c68f5a9
SSDEEP

49152:/m7bTJzq9DKcvMdcqh1v1hC78EnLXtgNFZ:/uJevPo1v1hs8WX

Score

10^/10

amadey monster redline stealc vidar e76b71 newbuild newlogs zov discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Detect Vidar Stealer 1 IoCs
stealer

Processes:

resource yara_rule

behavioral1/memory/2364-451-0x0000000000110000-0x000000000014A000-memory.dmp family_vidar_v7

resource	yara_rule
behavioral1/memory/2364-451-0x0000000000110000-0x000000000014A000-memory.dmp	family_vidar_v7

Detects Monster Stealer. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\onefile_1092_133645297665400000\stub.exe	family_monster
behavioral1/memory/1036-450-0x000000013FF40000-0x000000014117E000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe	family_redline
behavioral1/memory/2956-208-0x0000000000E20000-0x0000000000E70000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe	family_redline
behavioral1/memory/2732-242-0x00000000000A0000-0x00000000000F0000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exe41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 15 IoCs

Processes:

axplong.exestreamer.exeTpWWMUpe0LEV.execrypt6.exenewlogs.exestealc_zov.exenewbuild.exeFreshbuild.exeHkbsse.exeleg222.exe1.exebuild1555.exestub.exeBitwarden-Installer-2024.exesurfshark.exe

pid	process
2816	axplong.exe
644	streamer.exe
628	TpWWMUpe0LEV.exe
1816	crypt6.exe
2956	newlogs.exe
3028	stealc_zov.exe
2732	newbuild.exe
3044	Freshbuild.exe
544	Hkbsse.exe
2932	leg222.exe
772	1.exe
1092	build1555.exe
1036	stub.exe
2364	Bitwarden-Installer-2024.exe
2728	surfshark.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	axplong.exe

Loads dropped DLL 29 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.exeTpWWMUpe0LEV.exeWerFault.exeFreshbuild.exeWerFault.exeHkbsse.exebuild1555.exestealc_zov.exestub.exe

pid	process
2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
2816	axplong.exe
2816	axplong.exe
628	TpWWMUpe0LEV.exe
2816	axplong.exe
2816	axplong.exe
284	WerFault.exe
284	WerFault.exe
284	WerFault.exe
2816	axplong.exe
2816	axplong.exe
2816	axplong.exe
2816	axplong.exe
2816	axplong.exe
3044	Freshbuild.exe
2816	axplong.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
544	Hkbsse.exe
544	Hkbsse.exe
2816	axplong.exe
1092	build1555.exe
544	Hkbsse.exe
3028	stealc_zov.exe
3028	stealc_zov.exe
1036	stub.exe
2816	axplong.exe
2816	axplong.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 bitbucket.org
5 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.exe

pid process

2020 41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
2816 axplong.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

streamer.exe

description pid process target process

PID 644 set thread context of 2096 644 streamer.exe BitLockerToGo.exe
Drops file in Windows directory 2 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeFreshbuild.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
File created C:\Windows\Tasks\Hkbsse.job Freshbuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

284 1816 WerFault.exe crypt6.exe
2036 2932 WerFault.exe leg222.exe

flow	ioc
4	bitbucket.org
5	bitbucket.org

description	pid	process	target process
PID 644 set thread context of 2096	644	streamer.exe	BitLockerToGo.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe

pid	pid_target	process	target process
284	1816	WerFault.exe	crypt6.exe
2036	2932	WerFault.exe	leg222.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stealc_zov.exeBitwarden-Installer-2024.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_zov.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_zov.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bitwarden-Installer-2024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bitwarden-Installer-2024.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2736 timeout.exe

pid	process
2736	timeout.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exeHkbsse.exeBitwarden-Installer-2024.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Hkbsse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bitwarden-Installer-2024.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Hkbsse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Bitwarden-Installer-2024.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.exestealc_zov.exenewbuild.exeBitwarden-Installer-2024.exesurfshark.exe

pid	process
2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
2816	axplong.exe
3028	stealc_zov.exe
2732	newbuild.exe
3028	stealc_zov.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2364	Bitwarden-Installer-2024.exe
2728	surfshark.exe
2728	surfshark.exe
2728	surfshark.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

newbuild.exesurfshark.exe

description pid process

Token: SeDebugPrivilege 2732 newbuild.exe
Token: SeShutdownPrivilege 2728 surfshark.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeFreshbuild.exe

pid process

2020 41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
3044 Freshbuild.exe

description	pid	process
Token: SeDebugPrivilege	2732	newbuild.exe
Token: SeShutdownPrivilege	2728	surfshark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exeaxplong.execrypt6.exeFreshbuild.exeleg222.exestreamer.exeHkbsse.exebuild1555.exe

description	pid	process	target process
PID 2020 wrote to memory of 2816	2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe	axplong.exe
PID 2020 wrote to memory of 2816	2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe	axplong.exe
PID 2020 wrote to memory of 2816	2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe	axplong.exe
PID 2020 wrote to memory of 2816	2020	41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe	axplong.exe
PID 2816 wrote to memory of 644	2816	axplong.exe	streamer.exe
PID 2816 wrote to memory of 644	2816	axplong.exe	streamer.exe
PID 2816 wrote to memory of 644	2816	axplong.exe	streamer.exe
PID 2816 wrote to memory of 644	2816	axplong.exe	streamer.exe
PID 2816 wrote to memory of 628	2816	axplong.exe	TpWWMUpe0LEV.exe
PID 2816 wrote to memory of 628	2816	axplong.exe	TpWWMUpe0LEV.exe
PID 2816 wrote to memory of 628	2816	axplong.exe	TpWWMUpe0LEV.exe
PID 2816 wrote to memory of 628	2816	axplong.exe	TpWWMUpe0LEV.exe
PID 2816 wrote to memory of 1816	2816	axplong.exe	crypt6.exe
PID 2816 wrote to memory of 1816	2816	axplong.exe	crypt6.exe
PID 2816 wrote to memory of 1816	2816	axplong.exe	crypt6.exe
PID 2816 wrote to memory of 1816	2816	axplong.exe	crypt6.exe
PID 1816 wrote to memory of 284	1816	crypt6.exe	WerFault.exe
PID 1816 wrote to memory of 284	1816	crypt6.exe	WerFault.exe
PID 1816 wrote to memory of 284	1816	crypt6.exe	WerFault.exe
PID 1816 wrote to memory of 284	1816	crypt6.exe	WerFault.exe
PID 2816 wrote to memory of 2956	2816	axplong.exe	newlogs.exe
PID 2816 wrote to memory of 2956	2816	axplong.exe	newlogs.exe
PID 2816 wrote to memory of 2956	2816	axplong.exe	newlogs.exe
PID 2816 wrote to memory of 2956	2816	axplong.exe	newlogs.exe
PID 2816 wrote to memory of 3028	2816	axplong.exe	stealc_zov.exe
PID 2816 wrote to memory of 3028	2816	axplong.exe	stealc_zov.exe
PID 2816 wrote to memory of 3028	2816	axplong.exe	stealc_zov.exe
PID 2816 wrote to memory of 3028	2816	axplong.exe	stealc_zov.exe
PID 2816 wrote to memory of 2732	2816	axplong.exe	newbuild.exe
PID 2816 wrote to memory of 2732	2816	axplong.exe	newbuild.exe
PID 2816 wrote to memory of 2732	2816	axplong.exe	newbuild.exe
PID 2816 wrote to memory of 2732	2816	axplong.exe	newbuild.exe
PID 2816 wrote to memory of 3044	2816	axplong.exe	Freshbuild.exe
PID 2816 wrote to memory of 3044	2816	axplong.exe	Freshbuild.exe
PID 2816 wrote to memory of 3044	2816	axplong.exe	Freshbuild.exe
PID 2816 wrote to memory of 3044	2816	axplong.exe	Freshbuild.exe
PID 3044 wrote to memory of 544	3044	Freshbuild.exe	Hkbsse.exe
PID 3044 wrote to memory of 544	3044	Freshbuild.exe	Hkbsse.exe
PID 3044 wrote to memory of 544	3044	Freshbuild.exe	Hkbsse.exe
PID 3044 wrote to memory of 544	3044	Freshbuild.exe	Hkbsse.exe
PID 2816 wrote to memory of 2932	2816	axplong.exe	leg222.exe
PID 2816 wrote to memory of 2932	2816	axplong.exe	leg222.exe
PID 2816 wrote to memory of 2932	2816	axplong.exe	leg222.exe
PID 2816 wrote to memory of 2932	2816	axplong.exe	leg222.exe
PID 2932 wrote to memory of 2036	2932	leg222.exe	WerFault.exe
PID 2932 wrote to memory of 2036	2932	leg222.exe	WerFault.exe
PID 2932 wrote to memory of 2036	2932	leg222.exe	WerFault.exe
PID 2932 wrote to memory of 2036	2932	leg222.exe	WerFault.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 644 wrote to memory of 2096	644	streamer.exe	BitLockerToGo.exe
PID 544 wrote to memory of 772	544	Hkbsse.exe	1.exe
PID 544 wrote to memory of 772	544	Hkbsse.exe	1.exe
PID 544 wrote to memory of 772	544	Hkbsse.exe	1.exe
PID 544 wrote to memory of 772	544	Hkbsse.exe	1.exe
PID 2816 wrote to memory of 1092	2816	axplong.exe	build1555.exe
PID 2816 wrote to memory of 1092	2816	axplong.exe	build1555.exe
PID 2816 wrote to memory of 1092	2816	axplong.exe	build1555.exe
PID 2816 wrote to memory of 1092	2816	axplong.exe	build1555.exe
PID 1092 wrote to memory of 1036	1092	build1555.exe	stub.exe
PID 1092 wrote to memory of 1036	1092	build1555.exe	stub.exe

C:\Users\Admin\AppData\Local\Temp\41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe
"C:\Users\Admin\AppData\Local\Temp\41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
"C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628

C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
"C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:284

C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
3⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
"C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\1000034001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000034001\1.exe"
5⤵
- Executes dropped EXE
PID:772

C:\Users\Admin\AppData\Local\Temp\1000035001\Bitwarden-Installer-2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\Bitwarden-Installer-2024.exe"
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IDBFHJDAAFBA" & exit
6⤵
PID:2896

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
7⤵
- Delays execution with timeout.exe
PID:2736

C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe
"C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:2036

C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe
"C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\onefile_1092_133645297665400000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036

C:\Users\Admin\AppData\Local\Temp\1000164001\surfshark.exe
"C:\Users\Admin\AppData\Local\Temp\1000164001\surfshark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IDBFHJDAAFBA\KFIJEG
Filesize
6KB

MD5
edb266f41b834bf6b14df0f86bc6f440

SHA1
9a8191c2d1c98803aa7679e0db9d73c9dad0967b

SHA256
fae7e22425697b055f35edf1623f096e16eb5524e936ae6de970e3d8f83ad135

SHA512
ca121c496cd084e427a3ca045a477278ee39fbb96432f84f423de6328d4bbd96d7be7ce8015e514d1684504d0cc384b967f33cdaa580a9662a5999509384bad4

Download Submit
C:\ProgramData\IDBFHJDAAFBA\KJEGCF
Filesize
92KB

MD5
3a2feb999ad792e015e25e8c38908eab

SHA1
c85cc871fa901f173c9a47219cd637af24580916

SHA256
f82d27cccefad6d38fe3943e61f6f5dd926348adf6bba720e58a1b1f9b66ca6b

SHA512
b34ce1bd162fc8e9c61dbb92f3d208d1236bfff7b53cecf62b2fc581d09ab8e544687de95aeff2de7ef9e8896353c57238725069c0b6ee979146dd0e497dce16

Download Submit
C:\ProgramData\freebl3.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
471B

MD5
07171e55903089795b7dcb44d4cfa530

SHA1
e7c21d281725972fe2540f5ba9bd74327b8db293

SHA256
ed42022229b5b40c251f18acaa9554d9979958617a403c5e2be6989dff0fc0e0

SHA512
7ef17e467d308d59ff8bc5ad07fbe29a34c678e2bd0a31ff41245e48a7b46bf7e9174362d8ebedf45f4d002c6e67abab818d0d29f41edcb587d33764cc035e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
986e0c8c4335c9eae07b0407aa26089e

SHA1
6f28c43bd37d05a6b0a457e48c5baeaac4d07430

SHA256
301a714f6301733601393ef7c2e2187de89c97987e90c54664b59f376de0e090

SHA512
e2de7f83b3bce8747a21873820f78185f7fffd410e214501c83e835f28d879340df12e3c69d1fa224abeca910894c78aedf536f08d2fac92469caaf362fbef1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8b7b3b8d34ce4db10aeed8ec33f7b8b0

SHA1
8f685e2d6ee26caa59ab03d7e7c5f54923bd04ac

SHA256
4848de4d46411747d470ed69badd6be26f9196890ad01fd0769606cda29600ed

SHA512
67e11fa55d2bbad3f9241444a1aef085d3b884c02a6fcc0cf508b9a9f6707af8541e532333e2f26e9bf7f5e914f46a829694f429428f9473fd9d92c8efa09e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
400B

MD5
7d9afc477355c2c2220bb45354e83988

SHA1
bf1bd3d95124c69bb7ae5c79af4a038c460ba5a1

SHA256
874f140846417443dad25d1635a3df823ab1accab2deaabd7fcc4c8a8d54f6cc

SHA512
d935c581940bf0a06100f41125acb345d8985db8afcd51652098ecddecb35357cac09226b3878073353232e457fea9e152cf8bbc23b74238b6e5b012589468a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\1.exe
Filesize
220KB

MD5
990159d65a7268e9f9da50e115e7fcec

SHA1
ce4ef81f35dae8b12628d6588534a4510c429776

SHA256
9b5bb6664b66132e313e9f3e6bf35452008d2e47a91913918a633b348133b617

SHA512
50e1c5ccdf2630abdc8896190cfdda54316a343e7ac245ae77490acefd13cd1634786099eb7b1e0cc4c4a676a0eac70c2126670638af79710f204e34b3c3d4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\Bitwarden-Installer-2024.exe
Filesize
4.9MB

MD5
06e9439beabd1813ff13295adbba48ff

SHA1
f70c1c806fcb2fbbd97d4c9ecf7c473b3dc957da

SHA256
47eb2e1f94933fc6da9cf436804c0a303c539de3ce93c7dfaa6b427625447a22

SHA512
3143051b25bce1e2a80dc11006398309d09308ae6542e0e20c1c3e95947ea798d176ea75c8a53265846a902b2d0f9e81dc315e1343ec7d5b7fd4e16d77d7d118

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
4.9MB

MD5
2502f2fb88c1ea569c0b4287ae0613f3

SHA1
aae526d8ce17f59366b57d5d00ab5d14140cd6b5

SHA256
6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513

SHA512
7c0e3a6f8322aafa90533bcd2ff5ab2b167ef7c1c8412710c4b3a3b4643cdb0412cf93c561ce1c01a1057643bda336fd3fa64e3a7373d41cc25319d5190ca2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe
Filesize
1.1MB

MD5
5486fd5b8200f34b23f23a21f8912ade

SHA1
379f7b095751116c9a6c56d0945ca12ae122d253

SHA256
1ecf603a32b23fdf06e0260f314f5390e9c062d74fa2fe65b05754e83c41df46

SHA512
e9ad33509efc7303b09a9633f9f6136bba807deca3b9032a91475a66c038b4a1df44e036d9f7acae63f1854df65d47c00c59e6e3d79e7c44a5a6ae631c512f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe
Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000164001\surfshark.exe
Filesize
1.1MB

MD5
8569ef968c0c4045782e1ef4ecc96fec

SHA1
6f59472c780116468aa2953f8286c89c3188457e

SHA256
1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334

SHA512
4c9be25acce42fd404ad213cacc823d927e7c3249613771c1644a9054ff49e3edc0f4695240d067af49baf049546a2014fbe7966a37950c6d68d9f5c740e8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29F0.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B2F.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1092_133645297665400000\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1092_133645297665400000\stub.exe
Filesize
18.0MB

MD5
f0587004f479243c18d0ccff0665d7f6

SHA1
b3014badadfffdd6be2931a77a9df4673750fee7

SHA256
8ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a

SHA512
6dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
55b19090d710a3dcf61a66dfcc77e4c0

SHA1
91e38117b109fe49cb2a47d4e93940d4ac3bda9f

SHA256
41b271f1e5ec5cf3ee214bcfe5611d1f11242e1018823f097fa9a102c25a19f9

SHA512
bbd119d358b72ac0c19a24c9b727c579d02b4175a978060d775cedd47d0053287045d3ec482bfc08e7730e477c5c54d962a9e09ab01429136b1f93608c68f5a9

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
279KB

MD5
8fa26f1e37d3ff7f736fc93d520bc8ab

SHA1
ad532e1cb4a1b3cd82c7a85647f8f6dd99833bb1

SHA256
6c47da8fbd12f22d7272fbf223e054bf5093c0922d0e8fb7d6289a5913c2e45d

SHA512
8a0b53cbc3a20e2f0fd41c486b1af1fbbcf7f2fed9f7368b672a07f25faaa2568bbdbcf0841233ac8c473a4d1dee099e90bf6098a6fa15e44b8526efdafc1287

Download Submit
memory/628-169-0x0000000000B80000-0x0000000000CB2000-memory.dmp

Filesize
1.2MB

Download
memory/644-301-0x000000013FAA0000-0x000000013FFEB000-memory.dmp

Filesize
5.3MB

Download
memory/644-329-0x000000013FAA0000-0x000000013FFEB000-memory.dmp

Filesize
5.3MB

Download
memory/772-356-0x0000000000400000-0x0000000002BF0000-memory.dmp

Filesize
39.9MB

Download
memory/1036-450-0x000000013FF40000-0x000000014117E000-memory.dmp

Filesize
18.2MB

Download
memory/1092-487-0x000000013F690000-0x0000000140168000-memory.dmp

Filesize
10.8MB

Download
memory/2020-0-0x0000000000B20000-0x0000000000FE8000-memory.dmp

Filesize
4.8MB

Download
memory/2020-1-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2020-2-0x0000000000B21000-0x0000000000B4F000-memory.dmp

Filesize
184KB

Download
memory/2020-3-0x0000000000B20000-0x0000000000FE8000-memory.dmp

Filesize
4.8MB

Download
memory/2020-5-0x0000000000B20000-0x0000000000FE8000-memory.dmp

Filesize
4.8MB

Download
memory/2020-16-0x0000000007210000-0x00000000076D8000-memory.dmp

Filesize
4.8MB

Download
memory/2020-15-0x0000000000B20000-0x0000000000FE8000-memory.dmp

Filesize
4.8MB

Download
memory/2096-324-0x0000000000110000-0x0000000000167000-memory.dmp

Filesize
348KB

Download
memory/2096-327-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2096-328-0x0000000000110000-0x0000000000167000-memory.dmp

Filesize
348KB

Download
memory/2096-326-0x0000000000110000-0x0000000000167000-memory.dmp

Filesize
348KB

Download
memory/2364-451-0x0000000000110000-0x000000000014A000-memory.dmp

Filesize
232KB

Download
memory/2364-626-0x0000000010F80000-0x00000000111DF000-memory.dmp

Filesize
2.4MB

Download
memory/2732-242-0x00000000000A0000-0x00000000000F0000-memory.dmp

Filesize
320KB

Download
memory/2816-889-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-895-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-21-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-19-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-448-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-335-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-896-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-18-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-225-0x0000000006E80000-0x00000000070BC000-memory.dmp

Filesize
2.2MB

Download
memory/2816-608-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-17-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-894-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-897-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-182-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-258-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-334-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-333-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-781-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-226-0x0000000006E80000-0x00000000070BC000-memory.dmp

Filesize
2.2MB

Download
memory/2816-410-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-890-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-891-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-892-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2816-893-0x0000000000B00000-0x0000000000FC8000-memory.dmp

Filesize
4.8MB

Download
memory/2956-208-0x0000000000E20000-0x0000000000E70000-memory.dmp

Filesize
320KB

Download
memory/3028-227-0x0000000001280000-0x00000000014BC000-memory.dmp

Filesize
2.2MB

Download
memory/3028-287-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3028-449-0x0000000001280000-0x00000000014BC000-memory.dmp

Filesize
2.2MB

Download