redline | b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd

Analysis

max time kernel
112s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe
Size

773KB
MD5

a07d45122445de22b25506dd6f18fa91
SHA1

a03fefa1a468d9630761d0056461d83a9a2099b7
SHA256

b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd
SHA512

ac996aeb4c9c676626ec543639f20d79e6c84ae180617a84bfa581a5902bc11eb84865a50225cebb3fb8a9d15de6303f3e2407e00c181841563ce088fc1c7d63
SSDEEP

12288:FMrpy905Gm0bBtH3Yo4WsbYBxyNm0o3rR5k3AvmjEqjuGBE3GSSlFq7E:UyTFViBccCrwO8dGGSKoI

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3360566.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3360566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3360566.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3360566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3360566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3360566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3360566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3422578.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	d3422578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v6607349.exev7259340.exev2271658.exea3360566.exeb4955046.exec9163919.exed3422578.exelamod.exee8258406.exelamod.exelamod.exe

pid	process
2116	v6607349.exe
112	v7259340.exe
2920	v2271658.exe
2876	a3360566.exe
628	b4955046.exe
4596	c9163919.exe
1192	d3422578.exe
5056	lamod.exe
2404	e8258406.exe
224	lamod.exe
5048	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5064 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3360566.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3360566.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5064	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3360566.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exev6607349.exev7259340.exev2271658.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6607349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6607349.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7259340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7259340.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2271658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2271658.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b4955046.exee8258406.exe

description	pid	process	target process
PID 628 set thread context of 4084	628	b4955046.exe	AppLaunch.exe
PID 2404 set thread context of 1948	2404	e8258406.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4396 628 WerFault.exe b4955046.exe
4624 2404 WerFault.exe e8258406.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a3360566.exeAppLaunch.exec9163919.exeAppLaunch.exe

pid process

2876 a3360566.exe
2876 a3360566.exe
4084 AppLaunch.exe
4084 AppLaunch.exe
4596 c9163919.exe
4596 c9163919.exe
1948 AppLaunch.exe
1948 AppLaunch.exe

pid	pid_target	process	target process
4396	628	WerFault.exe	b4955046.exe
4624	2404	WerFault.exe	e8258406.exe

pid	process
2800	schtasks.exe

pid	process
2876	a3360566.exe
2876	a3360566.exe
4084	AppLaunch.exe
4084	AppLaunch.exe
4596	c9163919.exe
4596	c9163919.exe
1948	AppLaunch.exe
1948	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a3360566.exeAppLaunch.exec9163919.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2876	a3360566.exe
Token: SeDebugPrivilege	4084	AppLaunch.exe
Token: SeDebugPrivilege	4596	c9163919.exe
Token: SeDebugPrivilege	1948	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d3422578.exe

pid process

1192 d3422578.exe

pid	process
1192	d3422578.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exev6607349.exev7259340.exev2271658.exeb4955046.exed3422578.exelamod.exee8258406.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 2116	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	v6607349.exe
PID 1696 wrote to memory of 2116	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	v6607349.exe
PID 1696 wrote to memory of 2116	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	v6607349.exe
PID 2116 wrote to memory of 112	2116	v6607349.exe	v7259340.exe
PID 2116 wrote to memory of 112	2116	v6607349.exe	v7259340.exe
PID 2116 wrote to memory of 112	2116	v6607349.exe	v7259340.exe
PID 112 wrote to memory of 2920	112	v7259340.exe	v2271658.exe
PID 112 wrote to memory of 2920	112	v7259340.exe	v2271658.exe
PID 112 wrote to memory of 2920	112	v7259340.exe	v2271658.exe
PID 2920 wrote to memory of 2876	2920	v2271658.exe	a3360566.exe
PID 2920 wrote to memory of 2876	2920	v2271658.exe	a3360566.exe
PID 2920 wrote to memory of 628	2920	v2271658.exe	b4955046.exe
PID 2920 wrote to memory of 628	2920	v2271658.exe	b4955046.exe
PID 2920 wrote to memory of 628	2920	v2271658.exe	b4955046.exe
PID 628 wrote to memory of 4084	628	b4955046.exe	AppLaunch.exe
PID 628 wrote to memory of 4084	628	b4955046.exe	AppLaunch.exe
PID 628 wrote to memory of 4084	628	b4955046.exe	AppLaunch.exe
PID 628 wrote to memory of 4084	628	b4955046.exe	AppLaunch.exe
PID 628 wrote to memory of 4084	628	b4955046.exe	AppLaunch.exe
PID 112 wrote to memory of 4596	112	v7259340.exe	c9163919.exe
PID 112 wrote to memory of 4596	112	v7259340.exe	c9163919.exe
PID 112 wrote to memory of 4596	112	v7259340.exe	c9163919.exe
PID 2116 wrote to memory of 1192	2116	v6607349.exe	d3422578.exe
PID 2116 wrote to memory of 1192	2116	v6607349.exe	d3422578.exe
PID 2116 wrote to memory of 1192	2116	v6607349.exe	d3422578.exe
PID 1192 wrote to memory of 5056	1192	d3422578.exe	lamod.exe
PID 1192 wrote to memory of 5056	1192	d3422578.exe	lamod.exe
PID 1192 wrote to memory of 5056	1192	d3422578.exe	lamod.exe
PID 1696 wrote to memory of 2404	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	e8258406.exe
PID 1696 wrote to memory of 2404	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	e8258406.exe
PID 1696 wrote to memory of 2404	1696	b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe	e8258406.exe
PID 5056 wrote to memory of 2800	5056	lamod.exe	schtasks.exe
PID 5056 wrote to memory of 2800	5056	lamod.exe	schtasks.exe
PID 5056 wrote to memory of 2800	5056	lamod.exe	schtasks.exe
PID 5056 wrote to memory of 1800	5056	lamod.exe	cmd.exe
PID 5056 wrote to memory of 1800	5056	lamod.exe	cmd.exe
PID 5056 wrote to memory of 1800	5056	lamod.exe	cmd.exe
PID 2404 wrote to memory of 1948	2404	e8258406.exe	AppLaunch.exe
PID 2404 wrote to memory of 1948	2404	e8258406.exe	AppLaunch.exe
PID 2404 wrote to memory of 1948	2404	e8258406.exe	AppLaunch.exe
PID 2404 wrote to memory of 1948	2404	e8258406.exe	AppLaunch.exe
PID 1800 wrote to memory of 1960	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1960	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1960	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1784	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 1784	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 1784	1800	cmd.exe	cacls.exe
PID 2404 wrote to memory of 1948	2404	e8258406.exe	AppLaunch.exe
PID 1800 wrote to memory of 3204	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 3204	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 3204	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 4284	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 4284	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 4284	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 5104	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 5104	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 5104	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 528	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 528	1800	cmd.exe	cacls.exe
PID 1800 wrote to memory of 528	1800	cmd.exe	cacls.exe
PID 5056 wrote to memory of 5064	5056	lamod.exe	rundll32.exe
PID 5056 wrote to memory of 5064	5056	lamod.exe	rundll32.exe
PID 5056 wrote to memory of 5064	5056	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe
"C:\Users\Admin\AppData\Local\Temp\b7d90af673351324e7a9a93337196e090637845173b8c7bf4eef4466ffd57ddd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6607349.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6607349.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7259340.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7259340.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2271658.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2271658.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3360566.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3360566.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4955046.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4955046.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 152
6⤵
- Program crash
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9163919.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9163919.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3422578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3422578.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1960

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:1784

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4284

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8258406.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8258406.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 596
3⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 628 -ip 628
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2404 -ip 2404
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8258406.exe
Filesize
309KB

MD5
64c77165f468194c07d933224d5bdfcb

SHA1
1dd674cd0dfd1e2dafd58c63717fe2a52f48ac7d

SHA256
ff690cb513f45928832a6238f2cd526c3add24ca354be00c14b08a53883da943

SHA512
695e57e079abe155d883e2037da0191ceb13ceeb547bcb99dd76af6f2bf21d0668c848556a943e1f9bccbd700195930525f89b0b49c3f093741f8c33a8e937c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8258406.exe
Filesize
309KB

MD5
64c77165f468194c07d933224d5bdfcb

SHA1
1dd674cd0dfd1e2dafd58c63717fe2a52f48ac7d

SHA256
ff690cb513f45928832a6238f2cd526c3add24ca354be00c14b08a53883da943

SHA512
695e57e079abe155d883e2037da0191ceb13ceeb547bcb99dd76af6f2bf21d0668c848556a943e1f9bccbd700195930525f89b0b49c3f093741f8c33a8e937c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6607349.exe
Filesize
549KB

MD5
2f40da6363d41cfed1be204923b20d6d

SHA1
81aa034c89faf8036705130ef7a216c99df2fbd2

SHA256
808b1c4d34c6d2025f215585780dc982a60293745fccc41ce0f2eeb0e8e66ba4

SHA512
b2d2ae51c2ac1a00ef92f896401d90ab3cea73bc5f7b2086c61e246d2ec2832c5f6859a32645afad94906c38e38cea0caa362e9fffac238df6b57086bbe41eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6607349.exe
Filesize
549KB

MD5
2f40da6363d41cfed1be204923b20d6d

SHA1
81aa034c89faf8036705130ef7a216c99df2fbd2

SHA256
808b1c4d34c6d2025f215585780dc982a60293745fccc41ce0f2eeb0e8e66ba4

SHA512
b2d2ae51c2ac1a00ef92f896401d90ab3cea73bc5f7b2086c61e246d2ec2832c5f6859a32645afad94906c38e38cea0caa362e9fffac238df6b57086bbe41eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3422578.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3422578.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7259340.exe
Filesize
377KB

MD5
86b4ed7d79542b80976a3463e01651d7

SHA1
f808537e622740bd78e702a21b3e2e93790315e9

SHA256
7987fa26fb023f572716fdd1a25282e0676d4d07cf21d0b0edcd1b46a64be772

SHA512
a3c1ae507f2e4b09e951940a17a3271cbdd986a9c5b559b1e374dd30f5736e34795779fee56c25402e927b735a3fd372d1634c486923fd25edc88b62d1c866bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7259340.exe
Filesize
377KB

MD5
86b4ed7d79542b80976a3463e01651d7

SHA1
f808537e622740bd78e702a21b3e2e93790315e9

SHA256
7987fa26fb023f572716fdd1a25282e0676d4d07cf21d0b0edcd1b46a64be772

SHA512
a3c1ae507f2e4b09e951940a17a3271cbdd986a9c5b559b1e374dd30f5736e34795779fee56c25402e927b735a3fd372d1634c486923fd25edc88b62d1c866bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9163919.exe
Filesize
172KB

MD5
70f1651e83066c8f424032e73697758d

SHA1
ec09ad154db6d56885e552076c1e80a06ab2370e

SHA256
be5b2b48a07bdac28dc4a8fad0aa0545dc0843fe7802c47378a61f7c2de5d774

SHA512
a399395f589ea7fc3bc362f46437e5c2689dfbbf1bd911d7cd748ce2e90a2af680b338536129d395cf858f99f399d8831351b308c231e1df071cb5ca2026e3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9163919.exe
Filesize
172KB

MD5
70f1651e83066c8f424032e73697758d

SHA1
ec09ad154db6d56885e552076c1e80a06ab2370e

SHA256
be5b2b48a07bdac28dc4a8fad0aa0545dc0843fe7802c47378a61f7c2de5d774

SHA512
a399395f589ea7fc3bc362f46437e5c2689dfbbf1bd911d7cd748ce2e90a2af680b338536129d395cf858f99f399d8831351b308c231e1df071cb5ca2026e3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2271658.exe
Filesize
221KB

MD5
8c6377895e0f1b8b7f69c758169c8e7b

SHA1
1ff0d6dba1d7cfc863b53a455f98a8298e5a015f

SHA256
400a4ea7aa681178aa878235f13ed8625f513fb0f55c898c16fb556caabd1a91

SHA512
d8b47841335a872e221ce7025b066a2f21435deaed72bb84fa0c546c36e1fd3efcd49ebcbcbec5c730de6f6a38b5919a3b8f02dbdc8bffaff08315e9056065c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2271658.exe
Filesize
221KB

MD5
8c6377895e0f1b8b7f69c758169c8e7b

SHA1
1ff0d6dba1d7cfc863b53a455f98a8298e5a015f

SHA256
400a4ea7aa681178aa878235f13ed8625f513fb0f55c898c16fb556caabd1a91

SHA512
d8b47841335a872e221ce7025b066a2f21435deaed72bb84fa0c546c36e1fd3efcd49ebcbcbec5c730de6f6a38b5919a3b8f02dbdc8bffaff08315e9056065c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3360566.exe
Filesize
13KB

MD5
aeb5ce8afb9c701142b86cc0655c69fa

SHA1
46cb0f1a33d46364b067b18f3228a6059d7669a2

SHA256
65f600c866a8fd36e0bc86336a2d338fd30e758d17a8cded50a702473cf291f4

SHA512
336a1566e86702b3cd354b7036edb4ea9f714955c569574995a53c62d518c38a3598dfb9bfc7c81667420bc660d5ff4b7afd4578bb60aaae36def3df44e5dbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3360566.exe
Filesize
13KB

MD5
aeb5ce8afb9c701142b86cc0655c69fa

SHA1
46cb0f1a33d46364b067b18f3228a6059d7669a2

SHA256
65f600c866a8fd36e0bc86336a2d338fd30e758d17a8cded50a702473cf291f4

SHA512
336a1566e86702b3cd354b7036edb4ea9f714955c569574995a53c62d518c38a3598dfb9bfc7c81667420bc660d5ff4b7afd4578bb60aaae36def3df44e5dbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4955046.exe
Filesize
148KB

MD5
92c1740bedc4d9b89aed164a01a987e2

SHA1
2403c04c683782ccf83e9c5b9c41d26984904868

SHA256
471f54d1753bac6af9023e142a9b4e3f819aaef6ae88d85bae9b5062b0d4a8d6

SHA512
b3723c555f998cbbe383ee34858619eb7d7d06e051ace9c8b3dc7fcd32ca468e238f9fe72383810595bdcef77f1f50b8335700521400f2b05f23606ce1ec01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4955046.exe
Filesize
148KB

MD5
92c1740bedc4d9b89aed164a01a987e2

SHA1
2403c04c683782ccf83e9c5b9c41d26984904868

SHA256
471f54d1753bac6af9023e142a9b4e3f819aaef6ae88d85bae9b5062b0d4a8d6

SHA512
b3723c555f998cbbe383ee34858619eb7d7d06e051ace9c8b3dc7fcd32ca468e238f9fe72383810595bdcef77f1f50b8335700521400f2b05f23606ce1ec01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
207KB

MD5
00ceeedb43d9a1b5fbc0e6f6f660093a

SHA1
82dd0bd104b4951bf9d70a7cd4df626e9cacdc09

SHA256
cf7ccf468b8def53cf22170615f4dded6775a5c0110936a1a4a9e5a05a7efcad

SHA512
568401f3d70dee6173c5ec4d25aa487cd853e3596e3e7a915436ef1d070bbf05ebbda517c30a7df5464b46248f76e22103bd09b83229a4269aefd23707fe37a4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1948-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1948-212-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2876-161-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4084-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4596-188-0x0000000008430000-0x000000000895C000-memory.dmp

Filesize
5.2MB

Download
memory/4596-187-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/4596-186-0x0000000006000000-0x0000000006050000-memory.dmp

Filesize
320KB

Download
memory/4596-185-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/4596-183-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/4596-182-0x0000000006260000-0x0000000006804000-memory.dmp

Filesize
5.6MB

Download
memory/4596-181-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/4596-180-0x0000000005060000-0x00000000050D6000-memory.dmp

Filesize
472KB

Download
memory/4596-179-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/4596-178-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/4596-177-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4596-176-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/4596-175-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/4596-174-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download