redline | 114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe
Size

773KB
MD5

24a0c8eb7bf3d532ee6e094c805d6dd8
SHA1

d9b83a526fef2b73a33f982d5823a7a136a567c4
SHA256

114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67
SHA512

402d50321fd2ff128a1b5b42b730f059e6b58b57578f75bcb2048502d32a5ce385b9e9e9d19375c6364168faa1493b31754f75092327f4a0c4dffcc1ce99939e
SSDEEP

12288:SMrzy90trOlWfwAKWnircFmi/Om7b0smJacaTuBh5JZx2LpiO:RyAfwAKWIcmiWk+oc3B3XVO

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea4416052.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4416052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4416052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4416052.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4416052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4416052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4416052.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lamod.exed0719926.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lamod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	d0719926.exe

Executes dropped EXE 11 IoCs

Processes:

v3093493.exev9520088.exev2929283.exea4416052.exeb2444773.exec2476663.exed0719926.exelamod.exee0816375.exelamod.exelamod.exe

pid	process
4764	v3093493.exe
564	v9520088.exe
4396	v2929283.exe
3540	a4416052.exe
3976	b2444773.exe
352	c2476663.exe
2288	d0719926.exe
456	lamod.exe
4928	e0816375.exe
776	lamod.exe
4208	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3304 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a4416052.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4416052.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3304	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4416052.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2929283.exe114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exev3093493.exev9520088.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2929283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2929283.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3093493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3093493.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9520088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9520088.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b2444773.exee0816375.exe

description	pid	process	target process
PID 3976 set thread context of 4356	3976	b2444773.exe	AppLaunch.exe
PID 4928 set thread context of 3500	4928	e0816375.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4344 3976 WerFault.exe b2444773.exe
4480 4928 WerFault.exe e0816375.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

452 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a4416052.exeAppLaunch.exec2476663.exeAppLaunch.exe

pid process

3540 a4416052.exe
3540 a4416052.exe
4356 AppLaunch.exe
4356 AppLaunch.exe
352 c2476663.exe
352 c2476663.exe
3500 AppLaunch.exe
3500 AppLaunch.exe

pid	pid_target	process	target process
4344	3976	WerFault.exe	b2444773.exe
4480	4928	WerFault.exe	e0816375.exe

pid	process
452	schtasks.exe

pid	process
3540	a4416052.exe
3540	a4416052.exe
4356	AppLaunch.exe
4356	AppLaunch.exe
352	c2476663.exe
352	c2476663.exe
3500	AppLaunch.exe
3500	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a4416052.exeAppLaunch.exec2476663.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3540	a4416052.exe
Token: SeDebugPrivilege	4356	AppLaunch.exe
Token: SeDebugPrivilege	352	c2476663.exe
Token: SeDebugPrivilege	3500	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0719926.exe

pid process

2288 d0719926.exe

pid	process
2288	d0719926.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exev3093493.exev9520088.exev2929283.exeb2444773.exed0719926.exelamod.execmd.exee0816375.exe

description	pid	process	target process
PID 3756 wrote to memory of 4764	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	v3093493.exe
PID 3756 wrote to memory of 4764	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	v3093493.exe
PID 3756 wrote to memory of 4764	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	v3093493.exe
PID 4764 wrote to memory of 564	4764	v3093493.exe	v9520088.exe
PID 4764 wrote to memory of 564	4764	v3093493.exe	v9520088.exe
PID 4764 wrote to memory of 564	4764	v3093493.exe	v9520088.exe
PID 564 wrote to memory of 4396	564	v9520088.exe	v2929283.exe
PID 564 wrote to memory of 4396	564	v9520088.exe	v2929283.exe
PID 564 wrote to memory of 4396	564	v9520088.exe	v2929283.exe
PID 4396 wrote to memory of 3540	4396	v2929283.exe	a4416052.exe
PID 4396 wrote to memory of 3540	4396	v2929283.exe	a4416052.exe
PID 4396 wrote to memory of 3976	4396	v2929283.exe	b2444773.exe
PID 4396 wrote to memory of 3976	4396	v2929283.exe	b2444773.exe
PID 4396 wrote to memory of 3976	4396	v2929283.exe	b2444773.exe
PID 3976 wrote to memory of 4356	3976	b2444773.exe	AppLaunch.exe
PID 3976 wrote to memory of 4356	3976	b2444773.exe	AppLaunch.exe
PID 3976 wrote to memory of 4356	3976	b2444773.exe	AppLaunch.exe
PID 3976 wrote to memory of 4356	3976	b2444773.exe	AppLaunch.exe
PID 3976 wrote to memory of 4356	3976	b2444773.exe	AppLaunch.exe
PID 564 wrote to memory of 352	564	v9520088.exe	c2476663.exe
PID 564 wrote to memory of 352	564	v9520088.exe	c2476663.exe
PID 564 wrote to memory of 352	564	v9520088.exe	c2476663.exe
PID 4764 wrote to memory of 2288	4764	v3093493.exe	d0719926.exe
PID 4764 wrote to memory of 2288	4764	v3093493.exe	d0719926.exe
PID 4764 wrote to memory of 2288	4764	v3093493.exe	d0719926.exe
PID 2288 wrote to memory of 456	2288	d0719926.exe	lamod.exe
PID 2288 wrote to memory of 456	2288	d0719926.exe	lamod.exe
PID 2288 wrote to memory of 456	2288	d0719926.exe	lamod.exe
PID 3756 wrote to memory of 4928	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	e0816375.exe
PID 3756 wrote to memory of 4928	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	e0816375.exe
PID 3756 wrote to memory of 4928	3756	114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe	e0816375.exe
PID 456 wrote to memory of 452	456	lamod.exe	schtasks.exe
PID 456 wrote to memory of 452	456	lamod.exe	schtasks.exe
PID 456 wrote to memory of 452	456	lamod.exe	schtasks.exe
PID 456 wrote to memory of 400	456	lamod.exe	cmd.exe
PID 456 wrote to memory of 400	456	lamod.exe	cmd.exe
PID 456 wrote to memory of 400	456	lamod.exe	cmd.exe
PID 400 wrote to memory of 4576	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4576	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4576	400	cmd.exe	cmd.exe
PID 4928 wrote to memory of 3500	4928	e0816375.exe	AppLaunch.exe
PID 4928 wrote to memory of 3500	4928	e0816375.exe	AppLaunch.exe
PID 4928 wrote to memory of 3500	4928	e0816375.exe	AppLaunch.exe
PID 4928 wrote to memory of 3500	4928	e0816375.exe	AppLaunch.exe
PID 400 wrote to memory of 2524	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2524	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2524	400	cmd.exe	cacls.exe
PID 4928 wrote to memory of 3500	4928	e0816375.exe	AppLaunch.exe
PID 400 wrote to memory of 4556	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4556	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4556	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4956	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4956	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4956	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 1776	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 1776	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 1776	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4748	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4748	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 4748	400	cmd.exe	cacls.exe
PID 456 wrote to memory of 3304	456	lamod.exe	rundll32.exe
PID 456 wrote to memory of 3304	456	lamod.exe	rundll32.exe
PID 456 wrote to memory of 3304	456	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe
"C:\Users\Admin\AppData\Local\Temp\114f7836981d62ed0ca801e49c7d7aa0ba621cda4165ee6e7196bbaaebe88f67.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3093493.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3093493.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9520088.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9520088.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2929283.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2929283.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4416052.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4416052.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2444773.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2444773.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 148
6⤵
- Program crash
PID:4344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2476663.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2476663.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0719926.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0719926.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4576

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2524

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4956

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:1776

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:4748

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:3304

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0816375.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0816375.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 152
3⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3976 -ip 3976
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4928 -ip 4928
1⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:776

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0816375.exe
Filesize
309KB

MD5
04832679585dfe0766ebf017cd3c5f19

SHA1
f74a4fbc9e0ab4707839e34c0597ca9766e5b18b

SHA256
e07e606fb7230a1a736d55357924477ca42564388d4a3f89418191e9d64a835e

SHA512
8a58e51bb9a09a5a9e7097cb881aebd9c8010b75bf0478187f7d3676e9fee84102480d8a6f8a812d5ced7d8759aa741bc5c72bc1679a6178e7ac5f24c5d58c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0816375.exe
Filesize
309KB

MD5
04832679585dfe0766ebf017cd3c5f19

SHA1
f74a4fbc9e0ab4707839e34c0597ca9766e5b18b

SHA256
e07e606fb7230a1a736d55357924477ca42564388d4a3f89418191e9d64a835e

SHA512
8a58e51bb9a09a5a9e7097cb881aebd9c8010b75bf0478187f7d3676e9fee84102480d8a6f8a812d5ced7d8759aa741bc5c72bc1679a6178e7ac5f24c5d58c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3093493.exe
Filesize
549KB

MD5
0364eb90451269059863ab7ffb9c85f0

SHA1
fe007ce5bb5f93504cc66cf64cfdf69267ce890d

SHA256
cb49c31c81352b0667284cffb58d33ba5a1209c8604855f8523f11235c26ee86

SHA512
f5f830f9900dc32b0e0034f7a616fb16b948bf1dd78e5e8b51d148a8961ea72851edb49f29f34f4bf3aafe452a03d83800685dd69dcfca357c7b4ba536805a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3093493.exe
Filesize
549KB

MD5
0364eb90451269059863ab7ffb9c85f0

SHA1
fe007ce5bb5f93504cc66cf64cfdf69267ce890d

SHA256
cb49c31c81352b0667284cffb58d33ba5a1209c8604855f8523f11235c26ee86

SHA512
f5f830f9900dc32b0e0034f7a616fb16b948bf1dd78e5e8b51d148a8961ea72851edb49f29f34f4bf3aafe452a03d83800685dd69dcfca357c7b4ba536805a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0719926.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0719926.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9520088.exe
Filesize
377KB

MD5
8161097c190253157cf0168d400c5839

SHA1
78c8ec0eefb241396cde9e8ed7502e8a45b4eebc

SHA256
81cb848c8b63226760afdb31bc6a3648025e8cd41fa77d271bfc3cc60262ea32

SHA512
acbdc55a0e56e12c72192864da7f3faecf90bfdbde5ee4ddeee3136ec426957bd33c1c4177631b4d00d1bc7fdf9ea91c6f448c94f0a3584231aed9fd8ce83c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9520088.exe
Filesize
377KB

MD5
8161097c190253157cf0168d400c5839

SHA1
78c8ec0eefb241396cde9e8ed7502e8a45b4eebc

SHA256
81cb848c8b63226760afdb31bc6a3648025e8cd41fa77d271bfc3cc60262ea32

SHA512
acbdc55a0e56e12c72192864da7f3faecf90bfdbde5ee4ddeee3136ec426957bd33c1c4177631b4d00d1bc7fdf9ea91c6f448c94f0a3584231aed9fd8ce83c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2476663.exe
Filesize
172KB

MD5
d36bc126cd2cce75b3d06baecd1c1a9d

SHA1
94007b156bfc6e99de8d8c1d0bb2a660a9c8cef2

SHA256
cc144b8dcf51958b9d819f0bb75d0bfaaed0b2d8b1e1719ffc302ba0493008b4

SHA512
0140d2a6da9ba60041698efe2e7d88521ed021125313136ec853f5c17667f9f0114ceb5c5c9059eaca1685b49291a9806727e2d83df20a61b9063113a4cfb0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2476663.exe
Filesize
172KB

MD5
d36bc126cd2cce75b3d06baecd1c1a9d

SHA1
94007b156bfc6e99de8d8c1d0bb2a660a9c8cef2

SHA256
cc144b8dcf51958b9d819f0bb75d0bfaaed0b2d8b1e1719ffc302ba0493008b4

SHA512
0140d2a6da9ba60041698efe2e7d88521ed021125313136ec853f5c17667f9f0114ceb5c5c9059eaca1685b49291a9806727e2d83df20a61b9063113a4cfb0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2929283.exe
Filesize
221KB

MD5
3eca1d40c61a86e1adfabe5591e4697d

SHA1
179d3c1f45e4b8f2431067ace703205b2ace9145

SHA256
9a0668f23df21fad4f8e3a2312c2fefde61d0cc3597b97187b6f3a4c99774f8d

SHA512
8cd2434854b4a403a50366e797d378423e313b7825d8516fa043425d39b998bd2167b99d086cb5769a48964ae4e0b803ce028541bace0c7d13523d678137eaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2929283.exe
Filesize
221KB

MD5
3eca1d40c61a86e1adfabe5591e4697d

SHA1
179d3c1f45e4b8f2431067ace703205b2ace9145

SHA256
9a0668f23df21fad4f8e3a2312c2fefde61d0cc3597b97187b6f3a4c99774f8d

SHA512
8cd2434854b4a403a50366e797d378423e313b7825d8516fa043425d39b998bd2167b99d086cb5769a48964ae4e0b803ce028541bace0c7d13523d678137eaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4416052.exe
Filesize
13KB

MD5
117b522813325827220eca049e8effe9

SHA1
00e83203c088c959b880e7d8f2754f76c061b49b

SHA256
d320508e68c7f498bf22eea2df614d6a51d721c3481ba8587f4473e2969c8a41

SHA512
898e5669def8cf12151ca3ef46fd23ae920620dc39caa3c319526a4f8a3d7516f16e42841f5c33d7b305d58e6cd4fac3e3b6b9950342259bf0ca31a15ff9a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4416052.exe
Filesize
13KB

MD5
117b522813325827220eca049e8effe9

SHA1
00e83203c088c959b880e7d8f2754f76c061b49b

SHA256
d320508e68c7f498bf22eea2df614d6a51d721c3481ba8587f4473e2969c8a41

SHA512
898e5669def8cf12151ca3ef46fd23ae920620dc39caa3c319526a4f8a3d7516f16e42841f5c33d7b305d58e6cd4fac3e3b6b9950342259bf0ca31a15ff9a875

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2444773.exe
Filesize
148KB

MD5
c7c859b4c882f10ae9e2ca61fc2f8f19

SHA1
7e7c39e27db1c199f0ca42909b42781715b23c73

SHA256
08af151123018919e572de824dd9de6ceeac18414d08f30f1ccf8f78a5878988

SHA512
14909af4d5a883525d60721577d52f85a3f28f933cc8f98cdc08c0fad3bbe3533fa170d3c286144c7c845ee52f6e88f477abc7be8cec9997467ddf594dc6f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2444773.exe
Filesize
148KB

MD5
c7c859b4c882f10ae9e2ca61fc2f8f19

SHA1
7e7c39e27db1c199f0ca42909b42781715b23c73

SHA256
08af151123018919e572de824dd9de6ceeac18414d08f30f1ccf8f78a5878988

SHA512
14909af4d5a883525d60721577d52f85a3f28f933cc8f98cdc08c0fad3bbe3533fa170d3c286144c7c845ee52f6e88f477abc7be8cec9997467ddf594dc6f7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
799ce99846753685ba80bd1d0cbaa0ef

SHA1
554ab9093a90bdebb8a545ef6cb33003e8425559

SHA256
a35fe68875991eb443935484ab5596658dcf9ba46367febf7ce385dde608cf1e

SHA512
b9f1fb437bbe3972db07bfaa3f48279cecdac8b76570053ad20c494ae2af5a18d0e4739c60838093c82b12a830a3a06d19e20afaed41fd2ade58a09c45881350

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/352-182-0x000000000AC30000-0x000000000AC96000-memory.dmp

Filesize
408KB

Download
memory/352-176-0x000000000A900000-0x000000000AA0A000-memory.dmp

Filesize
1.0MB

Download
memory/352-187-0x000000000BCE0000-0x000000000BD30000-memory.dmp

Filesize
320KB

Download
memory/352-185-0x000000000C8B0000-0x000000000CDDC000-memory.dmp

Filesize
5.2MB

Download
memory/352-184-0x000000000BB10000-0x000000000BCD2000-memory.dmp

Filesize
1.8MB

Download
memory/352-183-0x000000000BDD0000-0x000000000C374000-memory.dmp

Filesize
5.6MB

Download
memory/352-181-0x000000000ACD0000-0x000000000AD62000-memory.dmp

Filesize
584KB

Download
memory/352-180-0x000000000ABB0000-0x000000000AC26000-memory.dmp

Filesize
472KB

Download
memory/352-179-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/352-174-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/352-178-0x000000000A8A0000-0x000000000A8DC000-memory.dmp

Filesize
240KB

Download
memory/352-175-0x000000000AE00000-0x000000000B418000-memory.dmp

Filesize
6.1MB

Download
memory/352-177-0x000000000A840000-0x000000000A852000-memory.dmp

Filesize
72KB

Download
memory/352-188-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3500-212-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/3500-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3540-161-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/4356-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download