redline | 9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76

Analysis

max time kernel
111s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe
Size

772KB
MD5

7c047113ca81c0896fd1046dbe7e95a7
SHA1

2ac2852698db2aed7b3197d8d8a01906d70af6e6
SHA256

9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76
SHA512

439f2518c51423a60cb419646ca782fe19f15d036560ecd3514b0822071dab68f25362c1a61c97465a4bd1c693a24afe6d31d7293e488d3733a055e701ed0c0c
SSDEEP

12288:LMrjy90cHwFGyH/vNyO55FS9AxdW7X+TBJYQftD2usmTm6c/LrA+35Ubnkoq:cyPHwEaRvFS9aW7QYQlDeL0wloq

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a8798350.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8798350.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8798350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8798350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8798350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8798350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8798350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d1214083.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	d1214083.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v0009596.exev1681870.exev3852378.exea8798350.exeb3387486.exec8768150.exed1214083.exelamod.exee4910813.exelamod.exelamod.exe

pid	process
4176	v0009596.exe
1680	v1681870.exe
3232	v3852378.exe
3800	a8798350.exe
3076	b3387486.exe
2964	c8768150.exe
3136	d1214083.exe
3904	lamod.exe
2300	e4910813.exe
2192	lamod.exe
1864	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1960 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a8798350.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8798350.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1960	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8798350.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v3852378.exe9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exev0009596.exev1681870.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3852378.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0009596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0009596.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1681870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1681870.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3852378.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b3387486.exee4910813.exe

description	pid	process	target process
PID 3076 set thread context of 4768	3076	b3387486.exe	AppLaunch.exe
PID 2300 set thread context of 3960	2300	e4910813.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4924 3076 WerFault.exe b3387486.exe
1176 2300 WerFault.exe e4910813.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a8798350.exeAppLaunch.exec8768150.exeAppLaunch.exe

pid process

3800 a8798350.exe
3800 a8798350.exe
4768 AppLaunch.exe
4768 AppLaunch.exe
2964 c8768150.exe
2964 c8768150.exe
3960 AppLaunch.exe
3960 AppLaunch.exe

pid	pid_target	process	target process
4924	3076	WerFault.exe	b3387486.exe
1176	2300	WerFault.exe	e4910813.exe

pid	process
3444	schtasks.exe

pid	process
3800	a8798350.exe
3800	a8798350.exe
4768	AppLaunch.exe
4768	AppLaunch.exe
2964	c8768150.exe
2964	c8768150.exe
3960	AppLaunch.exe
3960	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a8798350.exeAppLaunch.exec8768150.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3800	a8798350.exe
Token: SeDebugPrivilege	4768	AppLaunch.exe
Token: SeDebugPrivilege	2964	c8768150.exe
Token: SeDebugPrivilege	3960	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d1214083.exe

pid process

3136 d1214083.exe

pid	process
3136	d1214083.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exev0009596.exev1681870.exev3852378.exeb3387486.exed1214083.exelamod.execmd.exee4910813.exe

description	pid	process	target process
PID 2164 wrote to memory of 4176	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	v0009596.exe
PID 2164 wrote to memory of 4176	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	v0009596.exe
PID 2164 wrote to memory of 4176	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	v0009596.exe
PID 4176 wrote to memory of 1680	4176	v0009596.exe	v1681870.exe
PID 4176 wrote to memory of 1680	4176	v0009596.exe	v1681870.exe
PID 4176 wrote to memory of 1680	4176	v0009596.exe	v1681870.exe
PID 1680 wrote to memory of 3232	1680	v1681870.exe	v3852378.exe
PID 1680 wrote to memory of 3232	1680	v1681870.exe	v3852378.exe
PID 1680 wrote to memory of 3232	1680	v1681870.exe	v3852378.exe
PID 3232 wrote to memory of 3800	3232	v3852378.exe	a8798350.exe
PID 3232 wrote to memory of 3800	3232	v3852378.exe	a8798350.exe
PID 3232 wrote to memory of 3076	3232	v3852378.exe	b3387486.exe
PID 3232 wrote to memory of 3076	3232	v3852378.exe	b3387486.exe
PID 3232 wrote to memory of 3076	3232	v3852378.exe	b3387486.exe
PID 3076 wrote to memory of 4768	3076	b3387486.exe	AppLaunch.exe
PID 3076 wrote to memory of 4768	3076	b3387486.exe	AppLaunch.exe
PID 3076 wrote to memory of 4768	3076	b3387486.exe	AppLaunch.exe
PID 3076 wrote to memory of 4768	3076	b3387486.exe	AppLaunch.exe
PID 3076 wrote to memory of 4768	3076	b3387486.exe	AppLaunch.exe
PID 1680 wrote to memory of 2964	1680	v1681870.exe	c8768150.exe
PID 1680 wrote to memory of 2964	1680	v1681870.exe	c8768150.exe
PID 1680 wrote to memory of 2964	1680	v1681870.exe	c8768150.exe
PID 4176 wrote to memory of 3136	4176	v0009596.exe	d1214083.exe
PID 4176 wrote to memory of 3136	4176	v0009596.exe	d1214083.exe
PID 4176 wrote to memory of 3136	4176	v0009596.exe	d1214083.exe
PID 3136 wrote to memory of 3904	3136	d1214083.exe	lamod.exe
PID 3136 wrote to memory of 3904	3136	d1214083.exe	lamod.exe
PID 3136 wrote to memory of 3904	3136	d1214083.exe	lamod.exe
PID 2164 wrote to memory of 2300	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	e4910813.exe
PID 2164 wrote to memory of 2300	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	e4910813.exe
PID 2164 wrote to memory of 2300	2164	9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe	e4910813.exe
PID 3904 wrote to memory of 3444	3904	lamod.exe	schtasks.exe
PID 3904 wrote to memory of 3444	3904	lamod.exe	schtasks.exe
PID 3904 wrote to memory of 3444	3904	lamod.exe	schtasks.exe
PID 3904 wrote to memory of 1964	3904	lamod.exe	cmd.exe
PID 3904 wrote to memory of 1964	3904	lamod.exe	cmd.exe
PID 3904 wrote to memory of 1964	3904	lamod.exe	cmd.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4108	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4108	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4108	1964	cmd.exe	cacls.exe
PID 2300 wrote to memory of 3960	2300	e4910813.exe	AppLaunch.exe
PID 2300 wrote to memory of 3960	2300	e4910813.exe	AppLaunch.exe
PID 2300 wrote to memory of 3960	2300	e4910813.exe	AppLaunch.exe
PID 2300 wrote to memory of 3960	2300	e4910813.exe	AppLaunch.exe
PID 2300 wrote to memory of 3960	2300	e4910813.exe	AppLaunch.exe
PID 1964 wrote to memory of 4524	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4524	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4524	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4580	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4580	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4580	1964	cmd.exe	cmd.exe
PID 1964 wrote to memory of 4804	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4804	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 4804	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 1600	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 1600	1964	cmd.exe	cacls.exe
PID 1964 wrote to memory of 1600	1964	cmd.exe	cacls.exe
PID 3904 wrote to memory of 1960	3904	lamod.exe	rundll32.exe
PID 3904 wrote to memory of 1960	3904	lamod.exe	rundll32.exe
PID 3904 wrote to memory of 1960	3904	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe
"C:\Users\Admin\AppData\Local\Temp\9808c845aefe8b789d6964c5f4543012fcd300263230f64bd627c5d2d445aa76.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0009596.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0009596.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1681870.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1681870.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3852378.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3852378.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8798350.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8798350.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3387486.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3387486.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 152
6⤵
- Program crash
PID:4924

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8768150.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8768150.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1214083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1214083.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4764

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:4108

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4580

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4804

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:1600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4910813.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4910813.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 608
3⤵
- Program crash
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3076 -ip 3076
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2300 -ip 2300
1⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4910813.exe

Filesize
309KB

MD5
42974a847d784e17368c22249979e60c

SHA1
bf506de8dc77e233c44ea7227d18cf1974317f48

SHA256
3d839a260d084e8ee8fa3ffd116f710fc7b7cc34b4cdce38d85f1512422a3e52

SHA512
537ac6439f1d5647df67dd856328bba3282d1caa39205ce29919d4315fbfae0dbbeaa15629aed833cbedb04476ac0671d4e30f6ed7182f98b8284925c8411534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4910813.exe

Filesize
309KB

MD5
42974a847d784e17368c22249979e60c

SHA1
bf506de8dc77e233c44ea7227d18cf1974317f48

SHA256
3d839a260d084e8ee8fa3ffd116f710fc7b7cc34b4cdce38d85f1512422a3e52

SHA512
537ac6439f1d5647df67dd856328bba3282d1caa39205ce29919d4315fbfae0dbbeaa15629aed833cbedb04476ac0671d4e30f6ed7182f98b8284925c8411534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0009596.exe

Filesize
549KB

MD5
2089c0181de9f69e4f3c0232b5b945cb

SHA1
d84bc09365415ba9aeb91c0c8207783ff6078aad

SHA256
94bed5ec8498dab4af3526c401b09248b51c736e47b76d2d72689bb7f5799c15

SHA512
a8d44389d094dc8e7fd38dc42e1ad0d236ac213655bade63943ad67b06fb32d3a6290c202502152e8062530777fceb1dc3694576f5894123c3b20ca5a8301f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0009596.exe

Filesize
549KB

MD5
2089c0181de9f69e4f3c0232b5b945cb

SHA1
d84bc09365415ba9aeb91c0c8207783ff6078aad

SHA256
94bed5ec8498dab4af3526c401b09248b51c736e47b76d2d72689bb7f5799c15

SHA512
a8d44389d094dc8e7fd38dc42e1ad0d236ac213655bade63943ad67b06fb32d3a6290c202502152e8062530777fceb1dc3694576f5894123c3b20ca5a8301f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1214083.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1214083.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1681870.exe

Filesize
377KB

MD5
c39ebc499c8b917a13be4f5ca9239e47

SHA1
a6b370ad28107dbf3c143fd4d3e6071b7b89ae42

SHA256
47e000ff6472e40b8b95a77599f2ad2ce35feeef90f42e05edd1a2501c1146c2

SHA512
532f9e67f5947cfbb2c240f11af391ef08ffe84fc2e04c274f31d2a6b36501cf6a93e811e95be975c06105429af1b06a39d83ae7222d61ce8d801b39920f54f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1681870.exe

Filesize
377KB

MD5
c39ebc499c8b917a13be4f5ca9239e47

SHA1
a6b370ad28107dbf3c143fd4d3e6071b7b89ae42

SHA256
47e000ff6472e40b8b95a77599f2ad2ce35feeef90f42e05edd1a2501c1146c2

SHA512
532f9e67f5947cfbb2c240f11af391ef08ffe84fc2e04c274f31d2a6b36501cf6a93e811e95be975c06105429af1b06a39d83ae7222d61ce8d801b39920f54f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8768150.exe

Filesize
172KB

MD5
f2bd9558f16da83afbcfeca3f1b46c62

SHA1
9267e27303ade6b36de98bcdaa7f451cf716baaf

SHA256
147b97cddd8866e3f5060b2eb0df420fa07e52ed87a4c166a3519643d3d30f70

SHA512
9464d904c94d32304d8b8e82c45a371e91da1478e03cae827dcb0a3fce7927a36c2e56cf75e7fb60c80615300a6e1ab58959d379a6b4cf711eca9913e483caca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8768150.exe

Filesize
172KB

MD5
f2bd9558f16da83afbcfeca3f1b46c62

SHA1
9267e27303ade6b36de98bcdaa7f451cf716baaf

SHA256
147b97cddd8866e3f5060b2eb0df420fa07e52ed87a4c166a3519643d3d30f70

SHA512
9464d904c94d32304d8b8e82c45a371e91da1478e03cae827dcb0a3fce7927a36c2e56cf75e7fb60c80615300a6e1ab58959d379a6b4cf711eca9913e483caca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3852378.exe

Filesize
221KB

MD5
112ae8674dc686731a4a597848b487ec

SHA1
ddd856b93b706c1139483fd82bdc81bb5337af83

SHA256
ec0819d7ffaebd9173389d97daa9630b60e6e6308193b93b69484799bb3f7a52

SHA512
3fa1eb57c92b909bd55727992263245eeb7a1e5583aa4e50c08f7dac42e1fbdabcf64600f2f27eace028db8a38469f92df1b678add68714c32498e0737b2b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3852378.exe

Filesize
221KB

MD5
112ae8674dc686731a4a597848b487ec

SHA1
ddd856b93b706c1139483fd82bdc81bb5337af83

SHA256
ec0819d7ffaebd9173389d97daa9630b60e6e6308193b93b69484799bb3f7a52

SHA512
3fa1eb57c92b909bd55727992263245eeb7a1e5583aa4e50c08f7dac42e1fbdabcf64600f2f27eace028db8a38469f92df1b678add68714c32498e0737b2b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8798350.exe

Filesize
13KB

MD5
0814c4c70e9e4c0be822cd95dc97edb0

SHA1
6ff89cf1c45ac46d590e0a4543dfed7c80eb6713

SHA256
e6045494dc738672ec0b3ed3bbfeba688d393ee12e1546b0bf7e079da32b7d34

SHA512
b162bf67d8ab27401bdc65d093473bb833aebc78e22cd5505bd0e49542cd69789ce7897bd8ad1bee26198428abfbf2190302df44f73faf6e60ba070da7c581ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8798350.exe

Filesize
13KB

MD5
0814c4c70e9e4c0be822cd95dc97edb0

SHA1
6ff89cf1c45ac46d590e0a4543dfed7c80eb6713

SHA256
e6045494dc738672ec0b3ed3bbfeba688d393ee12e1546b0bf7e079da32b7d34

SHA512
b162bf67d8ab27401bdc65d093473bb833aebc78e22cd5505bd0e49542cd69789ce7897bd8ad1bee26198428abfbf2190302df44f73faf6e60ba070da7c581ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3387486.exe

Filesize
148KB

MD5
93def88a0928ed438e4a267950b35ffa

SHA1
3b9aa08f5f631080ad447b67851efa505b8d21d5

SHA256
c4ef3973bd23fbd491168709fb10dd5ba6dae8bc3746759b771ff7fab95e191f

SHA512
18ef98f055bc477793a719d15f62e50fab142e8454e85afcf2bc6946c339ca22e762dcb3b64be4c6fac91a757252b1c36080de1df67635d67b1fee40c9a3da94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3387486.exe

Filesize
148KB

MD5
93def88a0928ed438e4a267950b35ffa

SHA1
3b9aa08f5f631080ad447b67851efa505b8d21d5

SHA256
c4ef3973bd23fbd491168709fb10dd5ba6dae8bc3746759b771ff7fab95e191f

SHA512
18ef98f055bc477793a719d15f62e50fab142e8454e85afcf2bc6946c339ca22e762dcb3b64be4c6fac91a757252b1c36080de1df67635d67b1fee40c9a3da94

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
d7c26f14907b15ac1fa46645747b9ab5

SHA1
f9a45a7e6cab9af4aa1e64192cbd0a0981594ca3

SHA256
5fe3bb0684f8a8ae9e12acd155753062e2e5c6bace3f6b37d3ddc8eaf3851777

SHA512
930eff081c073b53371002841089ef4af91395510f47a69fd0ae59f5f473c0cad7732fdbe5c9db4151cc56bcb03bf541cc43e998c67b7106c4dc518f544d3ebd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2964-183-0x000000000B610000-0x000000000BBB4000-memory.dmp

Filesize
5.6MB

Download
memory/2964-176-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

Filesize
1.0MB

Download
memory/2964-187-0x000000000BE90000-0x000000000C052000-memory.dmp

Filesize
1.8MB

Download
memory/2964-186-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2964-185-0x000000000B590000-0x000000000B5E0000-memory.dmp

Filesize
320KB

Download
memory/2964-184-0x000000000B160000-0x000000000B1C6000-memory.dmp

Filesize
408KB

Download
memory/2964-182-0x000000000A970000-0x000000000AA02000-memory.dmp

Filesize
584KB

Download
memory/2964-181-0x000000000A850000-0x000000000A8C6000-memory.dmp

Filesize
472KB

Download
memory/2964-179-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2964-174-0x0000000000620000-0x0000000000650000-memory.dmp

Filesize
192KB

Download
memory/2964-178-0x000000000A540000-0x000000000A57C000-memory.dmp

Filesize
240KB

Download
memory/2964-175-0x000000000AA40000-0x000000000B058000-memory.dmp

Filesize
6.1MB

Download
memory/2964-177-0x000000000A4E0000-0x000000000A4F2000-memory.dmp

Filesize
72KB

Download
memory/2964-188-0x000000000C590000-0x000000000CABC000-memory.dmp

Filesize
5.2MB

Download
memory/3800-161-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/3960-212-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/3960-206-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/4768-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download