redline | b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe
Size

772KB
MD5

5a1283d80076afd4798d2da03593ac45
SHA1

40ca37fac29bfabed816f32d20df2adc3df61d82
SHA256

b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac
SHA512

adebe9641b687657b6fc978c6ddc151ca5af58fe06f42eec169f126137984e9baec556f761bfa2959bed27d71ba0c40159777607950e8f430060ef7477357f40
SSDEEP

12288:NMrcy904wgZrtVrGWzFdt7EKFtruZvnREZG9q5G+Npoo1710V/oI1sW:pyrBrrR7EKFZoyG9qQwLR0JdsW

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7454125.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7454125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7454125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7454125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7454125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7454125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7454125.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0495610.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	d0495610.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v3538867.exev7291709.exev9625537.exea7454125.exeb6160797.exec7321893.exed0495610.exelamod.exee0576715.exelamod.exelamod.exe

pid	process
4180	v3538867.exe
4160	v7291709.exe
2452	v9625537.exe
5080	a7454125.exe
1436	b6160797.exe
1944	c7321893.exe
1892	d0495610.exe
4500	lamod.exe
1292	e0576715.exe
32	lamod.exe
3296	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2244 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7454125.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7454125.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2244	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7454125.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7291709.exev9625537.exeb58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exev3538867.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7291709.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9625537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9625537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3538867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3538867.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7291709.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b6160797.exee0576715.exe

description	pid	process	target process
PID 1436 set thread context of 2652	1436	b6160797.exe	AppLaunch.exe
PID 1292 set thread context of 4260	1292	e0576715.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3908 1292 WerFault.exe e0576715.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4312 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a7454125.exeAppLaunch.exec7321893.exeAppLaunch.exe

pid process

5080 a7454125.exe
5080 a7454125.exe
2652 AppLaunch.exe
2652 AppLaunch.exe
1944 c7321893.exe
1944 c7321893.exe
4260 AppLaunch.exe
4260 AppLaunch.exe

pid	pid_target	process	target process
3908	1292	WerFault.exe	e0576715.exe

pid	process
4312	schtasks.exe

pid	process
5080	a7454125.exe
5080	a7454125.exe
2652	AppLaunch.exe
2652	AppLaunch.exe
1944	c7321893.exe
1944	c7321893.exe
4260	AppLaunch.exe
4260	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7454125.exeAppLaunch.exec7321893.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5080	a7454125.exe
Token: SeDebugPrivilege	2652	AppLaunch.exe
Token: SeDebugPrivilege	1944	c7321893.exe
Token: SeDebugPrivilege	4260	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0495610.exe

pid process

1892 d0495610.exe

pid	process
1892	d0495610.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exev3538867.exev7291709.exev9625537.exeb6160797.exed0495610.exelamod.execmd.exee0576715.exe

description	pid	process	target process
PID 4104 wrote to memory of 4180	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	v3538867.exe
PID 4104 wrote to memory of 4180	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	v3538867.exe
PID 4104 wrote to memory of 4180	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	v3538867.exe
PID 4180 wrote to memory of 4160	4180	v3538867.exe	v7291709.exe
PID 4180 wrote to memory of 4160	4180	v3538867.exe	v7291709.exe
PID 4180 wrote to memory of 4160	4180	v3538867.exe	v7291709.exe
PID 4160 wrote to memory of 2452	4160	v7291709.exe	v9625537.exe
PID 4160 wrote to memory of 2452	4160	v7291709.exe	v9625537.exe
PID 4160 wrote to memory of 2452	4160	v7291709.exe	v9625537.exe
PID 2452 wrote to memory of 5080	2452	v9625537.exe	a7454125.exe
PID 2452 wrote to memory of 5080	2452	v9625537.exe	a7454125.exe
PID 2452 wrote to memory of 1436	2452	v9625537.exe	b6160797.exe
PID 2452 wrote to memory of 1436	2452	v9625537.exe	b6160797.exe
PID 2452 wrote to memory of 1436	2452	v9625537.exe	b6160797.exe
PID 1436 wrote to memory of 2652	1436	b6160797.exe	AppLaunch.exe
PID 1436 wrote to memory of 2652	1436	b6160797.exe	AppLaunch.exe
PID 1436 wrote to memory of 2652	1436	b6160797.exe	AppLaunch.exe
PID 1436 wrote to memory of 2652	1436	b6160797.exe	AppLaunch.exe
PID 1436 wrote to memory of 2652	1436	b6160797.exe	AppLaunch.exe
PID 4160 wrote to memory of 1944	4160	v7291709.exe	c7321893.exe
PID 4160 wrote to memory of 1944	4160	v7291709.exe	c7321893.exe
PID 4160 wrote to memory of 1944	4160	v7291709.exe	c7321893.exe
PID 4180 wrote to memory of 1892	4180	v3538867.exe	d0495610.exe
PID 4180 wrote to memory of 1892	4180	v3538867.exe	d0495610.exe
PID 4180 wrote to memory of 1892	4180	v3538867.exe	d0495610.exe
PID 1892 wrote to memory of 4500	1892	d0495610.exe	lamod.exe
PID 1892 wrote to memory of 4500	1892	d0495610.exe	lamod.exe
PID 1892 wrote to memory of 4500	1892	d0495610.exe	lamod.exe
PID 4104 wrote to memory of 1292	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	e0576715.exe
PID 4104 wrote to memory of 1292	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	e0576715.exe
PID 4104 wrote to memory of 1292	4104	b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe	e0576715.exe
PID 4500 wrote to memory of 4312	4500	lamod.exe	schtasks.exe
PID 4500 wrote to memory of 4312	4500	lamod.exe	schtasks.exe
PID 4500 wrote to memory of 4312	4500	lamod.exe	schtasks.exe
PID 4500 wrote to memory of 4092	4500	lamod.exe	cmd.exe
PID 4500 wrote to memory of 4092	4500	lamod.exe	cmd.exe
PID 4500 wrote to memory of 4092	4500	lamod.exe	cmd.exe
PID 4092 wrote to memory of 4872	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 4872	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 4872	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 4556	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 4556	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 4556	4092	cmd.exe	cacls.exe
PID 1292 wrote to memory of 4260	1292	e0576715.exe	AppLaunch.exe
PID 1292 wrote to memory of 4260	1292	e0576715.exe	AppLaunch.exe
PID 1292 wrote to memory of 4260	1292	e0576715.exe	AppLaunch.exe
PID 1292 wrote to memory of 4260	1292	e0576715.exe	AppLaunch.exe
PID 1292 wrote to memory of 4260	1292	e0576715.exe	AppLaunch.exe
PID 4092 wrote to memory of 2052	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 2052	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 2052	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 4132	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 4132	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 4132	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 5048	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 5048	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 5048	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 1832	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 1832	4092	cmd.exe	cacls.exe
PID 4092 wrote to memory of 1832	4092	cmd.exe	cacls.exe
PID 4500 wrote to memory of 2244	4500	lamod.exe	rundll32.exe
PID 4500 wrote to memory of 2244	4500	lamod.exe	rundll32.exe
PID 4500 wrote to memory of 2244	4500	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe
"C:\Users\Admin\AppData\Local\Temp\b58ba443b23d1dc52274a1c500c98f9eb08d1480f7d4db7681766a3a74f50cac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3538867.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3538867.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7291709.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7291709.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9625537.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9625537.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7454125.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7454125.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6160797.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6160797.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7321893.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7321893.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0495610.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0495610.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4872

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:4556

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:1832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:2244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0576715.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0576715.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 156
3⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1292 -ip 1292
1⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:32

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0576715.exe
Filesize
309KB

MD5
6fd372f52a8c4bfa13cf5404052a28b0

SHA1
8be9b707bdb964a2c846d4a1058ec8fcdc389fb0

SHA256
f05a4d1cf101cfa1d37005b9a30b665a31416e0360e4c8abddc407a9d4bf239c

SHA512
bffd7d9477f5c36e30a8ff4ab30f518b2d8ae9c99d769e261355634deb91bd955c376e753e2cf1180cb18e6281f43a56eaf554f3be580f0289125672b627851c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0576715.exe
Filesize
309KB

MD5
6fd372f52a8c4bfa13cf5404052a28b0

SHA1
8be9b707bdb964a2c846d4a1058ec8fcdc389fb0

SHA256
f05a4d1cf101cfa1d37005b9a30b665a31416e0360e4c8abddc407a9d4bf239c

SHA512
bffd7d9477f5c36e30a8ff4ab30f518b2d8ae9c99d769e261355634deb91bd955c376e753e2cf1180cb18e6281f43a56eaf554f3be580f0289125672b627851c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3538867.exe
Filesize
549KB

MD5
ac07d4a910618ba1e9bc99bd165f53c9

SHA1
375da20e98347a9083f61e49445037222fabdde2

SHA256
a0d0539d5a78b61559ef86eb9583a28ac55a02112c02adfbe147e64c505438b9

SHA512
7254b72f82dd44493e3e2ea75df16c9b03f81b8409ced1b1be75de06007b143289345debd2763a2f186b6742a1303f17262231c7bc1baac42b036a070abef30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3538867.exe
Filesize
549KB

MD5
ac07d4a910618ba1e9bc99bd165f53c9

SHA1
375da20e98347a9083f61e49445037222fabdde2

SHA256
a0d0539d5a78b61559ef86eb9583a28ac55a02112c02adfbe147e64c505438b9

SHA512
7254b72f82dd44493e3e2ea75df16c9b03f81b8409ced1b1be75de06007b143289345debd2763a2f186b6742a1303f17262231c7bc1baac42b036a070abef30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0495610.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0495610.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7291709.exe
Filesize
377KB

MD5
d3615939dd693ac10117a99316d17671

SHA1
fa26f88fc6ad08515bd259e8ba4999e18cd1c4fc

SHA256
1c7b179ed78be48d54b7d482abb919ce286784003f8781de0de4209b12252e65

SHA512
6d7bf853be8b7783b483f8aa9279e809fd75da475fefdb0aaff46c323f5cbe914d054137b83230f0ecc2c36611574fd9c85970dc1e9b9326961c617902161daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7291709.exe
Filesize
377KB

MD5
d3615939dd693ac10117a99316d17671

SHA1
fa26f88fc6ad08515bd259e8ba4999e18cd1c4fc

SHA256
1c7b179ed78be48d54b7d482abb919ce286784003f8781de0de4209b12252e65

SHA512
6d7bf853be8b7783b483f8aa9279e809fd75da475fefdb0aaff46c323f5cbe914d054137b83230f0ecc2c36611574fd9c85970dc1e9b9326961c617902161daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7321893.exe
Filesize
172KB

MD5
83eff164d0cc57a48c834cb4d9428771

SHA1
ee077b1cb405cc42dd2ab2b0472a734bc7e3782a

SHA256
13a9987940791a3bf2176166223eb5d8e9dd09a5051a1ce0c649ff0dc32c524c

SHA512
be48ccd34e3b629dd8b6d223a2925ad5ecb9b4347611fd814fe19e97e205ede61d373ea895a36d1966f734926530f2be31b3983ee15595c40beb45d30da4bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7321893.exe
Filesize
172KB

MD5
83eff164d0cc57a48c834cb4d9428771

SHA1
ee077b1cb405cc42dd2ab2b0472a734bc7e3782a

SHA256
13a9987940791a3bf2176166223eb5d8e9dd09a5051a1ce0c649ff0dc32c524c

SHA512
be48ccd34e3b629dd8b6d223a2925ad5ecb9b4347611fd814fe19e97e205ede61d373ea895a36d1966f734926530f2be31b3983ee15595c40beb45d30da4bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9625537.exe
Filesize
221KB

MD5
7f13488628a61f5548c5ed8303570ecb

SHA1
69fdd681e4dcfe8df561ddb754c5b94d18b23451

SHA256
2bc6d57d621b07b63a697ae66c66ea245a3924410d1ebe7cfae4e8bb8e037877

SHA512
b3cbf942a9f28d33a46313bf5032ac8e9f680356714d3a69c2b80903cf759f75bd2b0732794b30a86d3e9bfcc787f57e4e0847397ca2b5bb0407573622655266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9625537.exe
Filesize
221KB

MD5
7f13488628a61f5548c5ed8303570ecb

SHA1
69fdd681e4dcfe8df561ddb754c5b94d18b23451

SHA256
2bc6d57d621b07b63a697ae66c66ea245a3924410d1ebe7cfae4e8bb8e037877

SHA512
b3cbf942a9f28d33a46313bf5032ac8e9f680356714d3a69c2b80903cf759f75bd2b0732794b30a86d3e9bfcc787f57e4e0847397ca2b5bb0407573622655266

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7454125.exe
Filesize
13KB

MD5
22e9cb14f5ab615ea65e95965ab886fc

SHA1
4e219bf02e6300f0236aae0e7b643efce48ac4d2

SHA256
288aa11fb844d421ac5a9a41e9cbbe1725e8cfbcaa6a9690a362b4305b763149

SHA512
7569a98e8bab3df8c9407526eb21112d1dc63e24f192d583112119a91df317db85ac8dbbc742bc7b5e4526519e7ca68b42125b7f702d4560c936353007328d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7454125.exe
Filesize
13KB

MD5
22e9cb14f5ab615ea65e95965ab886fc

SHA1
4e219bf02e6300f0236aae0e7b643efce48ac4d2

SHA256
288aa11fb844d421ac5a9a41e9cbbe1725e8cfbcaa6a9690a362b4305b763149

SHA512
7569a98e8bab3df8c9407526eb21112d1dc63e24f192d583112119a91df317db85ac8dbbc742bc7b5e4526519e7ca68b42125b7f702d4560c936353007328d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6160797.exe
Filesize
148KB

MD5
d48c39ca3d4df8e0601d8b94045f4cac

SHA1
1e5e2320fa479bfe9fe494ac5fd4769eb21c2c98

SHA256
6ac267edf7ec57c9ff551f44aea0558fd9caadced024855db1c849a747ec07c4

SHA512
9271dd5dd75da08a34e4115cc421fb258b574d892695ecdba2089e3d8fe151ce84e63ec4ccb93344ce0823dc7fece8b182eef86e99b97bb127a962c2ba887a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6160797.exe
Filesize
148KB

MD5
d48c39ca3d4df8e0601d8b94045f4cac

SHA1
1e5e2320fa479bfe9fe494ac5fd4769eb21c2c98

SHA256
6ac267edf7ec57c9ff551f44aea0558fd9caadced024855db1c849a747ec07c4

SHA512
9271dd5dd75da08a34e4115cc421fb258b574d892695ecdba2089e3d8fe151ce84e63ec4ccb93344ce0823dc7fece8b182eef86e99b97bb127a962c2ba887a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
dfd2115766b207e284af198f08a0a553

SHA1
274c252edb37badc808acff1b1dbe6dc4c1d676c

SHA256
f481c1302091a649329bc28a44dad3b8bab0e1bb88db106f7ad27aca04fac3b5

SHA512
06ad0b714d833c95ff09b1f89b9780b38f428054650fb46754930e684d9aca6fd320f2556ad218c84cd7e59210066c49aad3cb2dfdbff23ec391c3b6b5cb8323

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1944-182-0x000000000A550000-0x000000000A5B6000-memory.dmp

Filesize
408KB

Download
memory/1944-176-0x000000000A220000-0x000000000A32A000-memory.dmp

Filesize
1.0MB

Download
memory/1944-187-0x000000000C360000-0x000000000C88C000-memory.dmp

Filesize
5.2MB

Download
memory/1944-185-0x000000000BC60000-0x000000000BE22000-memory.dmp

Filesize
1.8MB

Download
memory/1944-184-0x000000000B310000-0x000000000B360000-memory.dmp

Filesize
320KB

Download
memory/1944-183-0x000000000B6B0000-0x000000000BC54000-memory.dmp

Filesize
5.6MB

Download
memory/1944-181-0x000000000A5F0000-0x000000000A682000-memory.dmp

Filesize
584KB

Download
memory/1944-180-0x000000000A4D0000-0x000000000A546000-memory.dmp

Filesize
472KB

Download
memory/1944-179-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1944-174-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/1944-178-0x000000000A1C0000-0x000000000A1FC000-memory.dmp

Filesize
240KB

Download
memory/1944-175-0x000000000A6E0000-0x000000000ACF8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-177-0x000000000A160000-0x000000000A172000-memory.dmp

Filesize
72KB

Download
memory/1944-188-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2652-166-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/4260-212-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4260-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5080-161-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download