redline | 37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31

Analysis

max time kernel
143s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe
Size

773KB
MD5

c47186886ccb5ca615d8a3dc2af5dfd8
SHA1

5a9dfc67a8bec995032b176a3096413890a47e8b
SHA256

37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31
SHA512

a1915852db39892daa8e1158efb2259e0fa4723c4c7578ecd9bb44b5350cf7a8d770f8145e2d19d08d9f4a62dfb46a01211c188b43e00e1ca8b4ef95fb8ce01f
SSDEEP

12288:YMrdy90kIcPeRlzwWKTQET2IygxeWUB8ETmTmwMUASy4+dLtHzGrAuxNAmk:VywcmnFKNyIygY8AlUcdLwFLk

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea8310924.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8310924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8310924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8310924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8310924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8310924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8310924.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0187185.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	d0187185.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v8901688.exev4856159.exev2777376.exea8310924.exeb4022821.exec7205302.exed0187185.exelamod.exee9061423.exelamod.exelamod.exe

pid	process
4996	v8901688.exe
2752	v4856159.exe
2172	v2777376.exe
1664	a8310924.exe
4536	b4022821.exe
4192	c7205302.exe
2488	d0187185.exe
1440	lamod.exe
548	e9061423.exe
4792	lamod.exe
3136	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3080 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a8310924.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8310924.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3080	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8310924.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8901688.exev4856159.exev2777376.exe37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8901688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4856159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4856159.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2777376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2777376.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8901688.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b4022821.exee9061423.exe

description	pid	process	target process
PID 4536 set thread context of 1860	4536	b4022821.exe	AppLaunch.exe
PID 548 set thread context of 2256	548	e9061423.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1844 4536 WerFault.exe b4022821.exe
2480 548 WerFault.exe e9061423.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

948 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a8310924.exeAppLaunch.exec7205302.exeAppLaunch.exe

pid process

1664 a8310924.exe
1664 a8310924.exe
1860 AppLaunch.exe
1860 AppLaunch.exe
4192 c7205302.exe
4192 c7205302.exe
2256 AppLaunch.exe
2256 AppLaunch.exe

pid	pid_target	process	target process
1844	4536	WerFault.exe	b4022821.exe
2480	548	WerFault.exe	e9061423.exe

pid	process
948	schtasks.exe

pid	process
1664	a8310924.exe
1664	a8310924.exe
1860	AppLaunch.exe
1860	AppLaunch.exe
4192	c7205302.exe
4192	c7205302.exe
2256	AppLaunch.exe
2256	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a8310924.exeAppLaunch.exec7205302.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1664	a8310924.exe
Token: SeDebugPrivilege	1860	AppLaunch.exe
Token: SeDebugPrivilege	4192	c7205302.exe
Token: SeDebugPrivilege	2256	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0187185.exe

pid process

2488 d0187185.exe

pid	process
2488	d0187185.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exev8901688.exev4856159.exev2777376.exeb4022821.exed0187185.exelamod.execmd.exee9061423.exe

description	pid	process	target process
PID 2296 wrote to memory of 4996	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	v8901688.exe
PID 2296 wrote to memory of 4996	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	v8901688.exe
PID 2296 wrote to memory of 4996	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	v8901688.exe
PID 4996 wrote to memory of 2752	4996	v8901688.exe	v4856159.exe
PID 4996 wrote to memory of 2752	4996	v8901688.exe	v4856159.exe
PID 4996 wrote to memory of 2752	4996	v8901688.exe	v4856159.exe
PID 2752 wrote to memory of 2172	2752	v4856159.exe	v2777376.exe
PID 2752 wrote to memory of 2172	2752	v4856159.exe	v2777376.exe
PID 2752 wrote to memory of 2172	2752	v4856159.exe	v2777376.exe
PID 2172 wrote to memory of 1664	2172	v2777376.exe	a8310924.exe
PID 2172 wrote to memory of 1664	2172	v2777376.exe	a8310924.exe
PID 2172 wrote to memory of 4536	2172	v2777376.exe	b4022821.exe
PID 2172 wrote to memory of 4536	2172	v2777376.exe	b4022821.exe
PID 2172 wrote to memory of 4536	2172	v2777376.exe	b4022821.exe
PID 4536 wrote to memory of 1860	4536	b4022821.exe	AppLaunch.exe
PID 4536 wrote to memory of 1860	4536	b4022821.exe	AppLaunch.exe
PID 4536 wrote to memory of 1860	4536	b4022821.exe	AppLaunch.exe
PID 4536 wrote to memory of 1860	4536	b4022821.exe	AppLaunch.exe
PID 4536 wrote to memory of 1860	4536	b4022821.exe	AppLaunch.exe
PID 2752 wrote to memory of 4192	2752	v4856159.exe	c7205302.exe
PID 2752 wrote to memory of 4192	2752	v4856159.exe	c7205302.exe
PID 2752 wrote to memory of 4192	2752	v4856159.exe	c7205302.exe
PID 4996 wrote to memory of 2488	4996	v8901688.exe	d0187185.exe
PID 4996 wrote to memory of 2488	4996	v8901688.exe	d0187185.exe
PID 4996 wrote to memory of 2488	4996	v8901688.exe	d0187185.exe
PID 2488 wrote to memory of 1440	2488	d0187185.exe	lamod.exe
PID 2488 wrote to memory of 1440	2488	d0187185.exe	lamod.exe
PID 2488 wrote to memory of 1440	2488	d0187185.exe	lamod.exe
PID 2296 wrote to memory of 548	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	e9061423.exe
PID 2296 wrote to memory of 548	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	e9061423.exe
PID 2296 wrote to memory of 548	2296	37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe	e9061423.exe
PID 1440 wrote to memory of 948	1440	lamod.exe	schtasks.exe
PID 1440 wrote to memory of 948	1440	lamod.exe	schtasks.exe
PID 1440 wrote to memory of 948	1440	lamod.exe	schtasks.exe
PID 1440 wrote to memory of 684	1440	lamod.exe	cmd.exe
PID 1440 wrote to memory of 684	1440	lamod.exe	cmd.exe
PID 1440 wrote to memory of 684	1440	lamod.exe	cmd.exe
PID 684 wrote to memory of 4984	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 4984	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 4984	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 1956	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 1956	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 1956	684	cmd.exe	cacls.exe
PID 548 wrote to memory of 2256	548	e9061423.exe	AppLaunch.exe
PID 548 wrote to memory of 2256	548	e9061423.exe	AppLaunch.exe
PID 548 wrote to memory of 2256	548	e9061423.exe	AppLaunch.exe
PID 548 wrote to memory of 2256	548	e9061423.exe	AppLaunch.exe
PID 684 wrote to memory of 4344	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 4344	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 4344	684	cmd.exe	cacls.exe
PID 548 wrote to memory of 2256	548	e9061423.exe	AppLaunch.exe
PID 684 wrote to memory of 1192	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 1192	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 1192	684	cmd.exe	cmd.exe
PID 684 wrote to memory of 5020	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 5020	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 5020	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 2872	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 2872	684	cmd.exe	cacls.exe
PID 684 wrote to memory of 2872	684	cmd.exe	cacls.exe
PID 1440 wrote to memory of 3080	1440	lamod.exe	rundll32.exe
PID 1440 wrote to memory of 3080	1440	lamod.exe	rundll32.exe
PID 1440 wrote to memory of 3080	1440	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe
"C:\Users\Admin\AppData\Local\Temp\37d40362893c9abf372b461ae44727fa0ea07ffe4a75c7d1f821fb94b606bd31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8901688.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8901688.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4856159.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4856159.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2777376.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2777376.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8310924.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8310924.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4022821.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4022821.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 224
6⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7205302.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7205302.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0187185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0187185.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4984

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:1956

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1192

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5020

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:3080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9061423.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9061423.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 156
3⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4536 -ip 4536
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 548 -ip 548
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9061423.exe
Filesize
309KB

MD5
5a5c3b1462db7e5df8fb6ebdc7ee35ea

SHA1
f9b1031ecc4ff35201f853609b87fb505cc3147a

SHA256
f263d283173a0941307fa00a298d6aec04127585aec9be9c12600113756e7397

SHA512
8e3c28216ea2f079591ca14458a630b9c4fe62a08317cf56d07b4e2da8bf19c9692767272f549889e1d29a2eab9482cb974d3516ba08ff3617bc3eb00300d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9061423.exe
Filesize
309KB

MD5
5a5c3b1462db7e5df8fb6ebdc7ee35ea

SHA1
f9b1031ecc4ff35201f853609b87fb505cc3147a

SHA256
f263d283173a0941307fa00a298d6aec04127585aec9be9c12600113756e7397

SHA512
8e3c28216ea2f079591ca14458a630b9c4fe62a08317cf56d07b4e2da8bf19c9692767272f549889e1d29a2eab9482cb974d3516ba08ff3617bc3eb00300d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8901688.exe
Filesize
549KB

MD5
c9db23442b9d130156f8c18f29390d05

SHA1
4a9983c8143a987b7c44e2efb273f7a964746d9c

SHA256
2dade6acecce703e7b26565757423a56a6e0c19e140606919ef5968cf0cf87ba

SHA512
91772bd1740f9be03ca4419b315d5c78704d0771262bda028543e99319ea93c14a2563046efcd65f8b63a74f5d75b34b1849574d1154a6f0d981d91c12a14c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8901688.exe
Filesize
549KB

MD5
c9db23442b9d130156f8c18f29390d05

SHA1
4a9983c8143a987b7c44e2efb273f7a964746d9c

SHA256
2dade6acecce703e7b26565757423a56a6e0c19e140606919ef5968cf0cf87ba

SHA512
91772bd1740f9be03ca4419b315d5c78704d0771262bda028543e99319ea93c14a2563046efcd65f8b63a74f5d75b34b1849574d1154a6f0d981d91c12a14c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0187185.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0187185.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4856159.exe
Filesize
377KB

MD5
727712ffa094f22122cd7acb2a38c96b

SHA1
acc0680c081b66a6f2d30b1802af9622ba54ecb8

SHA256
a5cb1ce5dcb1c66e4ad395b43926b4ddfaf0917aad186f4bce1c6899f71e2600

SHA512
a214734479dfd31de6d30263121a51ef32b8f9e74f38935a3c1a974e17ab9e5aa0f5e43007a49a4b2deb5eabd147ee2e932794f14031c27f5fd4abe8fb752b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4856159.exe
Filesize
377KB

MD5
727712ffa094f22122cd7acb2a38c96b

SHA1
acc0680c081b66a6f2d30b1802af9622ba54ecb8

SHA256
a5cb1ce5dcb1c66e4ad395b43926b4ddfaf0917aad186f4bce1c6899f71e2600

SHA512
a214734479dfd31de6d30263121a51ef32b8f9e74f38935a3c1a974e17ab9e5aa0f5e43007a49a4b2deb5eabd147ee2e932794f14031c27f5fd4abe8fb752b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7205302.exe
Filesize
172KB

MD5
238b9ca78841e84477227b63412b3a6b

SHA1
790821e2c260c9f8df4a06b410f2b5b22efd08c1

SHA256
5ab8e9678b4acd0531d88d4f866b554e90ff5b6861d293857d64b087fbaa55a8

SHA512
b2cc6ef2e1e783696cde4cbeb837b9a556f1d3b47c8ef7717646d7b6059b21d1c62890e0407d53b502f33fb7c486d08ac0735eb9c7bc747fe3dbec08fcf4139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7205302.exe
Filesize
172KB

MD5
238b9ca78841e84477227b63412b3a6b

SHA1
790821e2c260c9f8df4a06b410f2b5b22efd08c1

SHA256
5ab8e9678b4acd0531d88d4f866b554e90ff5b6861d293857d64b087fbaa55a8

SHA512
b2cc6ef2e1e783696cde4cbeb837b9a556f1d3b47c8ef7717646d7b6059b21d1c62890e0407d53b502f33fb7c486d08ac0735eb9c7bc747fe3dbec08fcf4139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2777376.exe
Filesize
221KB

MD5
f1660c938e57f859ca1efd3120863ca3

SHA1
7366f257442343d78ec8b6e8acf82d798abec3cb

SHA256
c94e0b1569ba942c3a83decd6a11a003bc755b2a5d3db98639bfe8ea6603f5da

SHA512
2e4221f50dd0daa080f13850244dfe2c894a8fb2045495a0111197a8cc833401962159e3951e8f5498228b1a9c9d0a41b9a5e5caf71f96a462977cf9e2d89989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2777376.exe
Filesize
221KB

MD5
f1660c938e57f859ca1efd3120863ca3

SHA1
7366f257442343d78ec8b6e8acf82d798abec3cb

SHA256
c94e0b1569ba942c3a83decd6a11a003bc755b2a5d3db98639bfe8ea6603f5da

SHA512
2e4221f50dd0daa080f13850244dfe2c894a8fb2045495a0111197a8cc833401962159e3951e8f5498228b1a9c9d0a41b9a5e5caf71f96a462977cf9e2d89989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8310924.exe
Filesize
14KB

MD5
fc2cf1ffd28cade3863098dbb6c6d718

SHA1
96f3ecfeddb67d50f46172b3110d3a5663a22248

SHA256
9e8d5ac76e662ba64af5cb764336d01d5b222d6f1a4bb47cb78cc9003617baaf

SHA512
0051644300e6051164e7f8e8366c14f29ee0464ae2709f3e45b3b130e5ec58fe6680b3f0dfcc10db45077abdb28bc7e449ae948ae78a89d9a1363204b2811acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8310924.exe
Filesize
14KB

MD5
fc2cf1ffd28cade3863098dbb6c6d718

SHA1
96f3ecfeddb67d50f46172b3110d3a5663a22248

SHA256
9e8d5ac76e662ba64af5cb764336d01d5b222d6f1a4bb47cb78cc9003617baaf

SHA512
0051644300e6051164e7f8e8366c14f29ee0464ae2709f3e45b3b130e5ec58fe6680b3f0dfcc10db45077abdb28bc7e449ae948ae78a89d9a1363204b2811acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4022821.exe
Filesize
148KB

MD5
0882176254dff7d328ee0f5411cddc11

SHA1
7b70fe56feef9bd922e46f0c388c9188b8299b17

SHA256
333f8ed98d7f58f05b315fadff1e17b629acdc046696d9fb14e6fd57f4e6a1e2

SHA512
caee4e6267f7686f05d985f753d43b70f30669a7b8be9cd23bb29bfe2a18cae75a66c21a05e39f54d6d0eb0385d34722eb99f05936c28dac1a0e2b92adccf79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4022821.exe
Filesize
148KB

MD5
0882176254dff7d328ee0f5411cddc11

SHA1
7b70fe56feef9bd922e46f0c388c9188b8299b17

SHA256
333f8ed98d7f58f05b315fadff1e17b629acdc046696d9fb14e6fd57f4e6a1e2

SHA512
caee4e6267f7686f05d985f753d43b70f30669a7b8be9cd23bb29bfe2a18cae75a66c21a05e39f54d6d0eb0385d34722eb99f05936c28dac1a0e2b92adccf79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
285ce107a8d91d5ca71472e705f54390

SHA1
1ad3632e3cc6aea48b2bb3253965996ec88cf58a

SHA256
9e9712e3d5ea07715aa31a325d8c1eceeaf5de033658069eb04f7682c5f72434

SHA512
26aebf3269213b6158562a18c7bb1899487ce1ec9d1f563d4f300313ce3b48f7dc4585877038616246d296f8df3fc83d6984554f635dad610d26a09baed7dc6c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1664-161-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1860-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2256-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2256-212-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4192-180-0x000000000A340000-0x000000000A3B6000-memory.dmp

Filesize
472KB

Download
memory/4192-187-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/4192-183-0x000000000AB70000-0x000000000ABD6000-memory.dmp

Filesize
408KB

Download
memory/4192-182-0x000000000B120000-0x000000000B6C4000-memory.dmp

Filesize
5.6MB

Download
memory/4192-181-0x000000000AAD0000-0x000000000AB62000-memory.dmp

Filesize
584KB

Download
memory/4192-186-0x000000000BFA0000-0x000000000C4CC000-memory.dmp

Filesize
5.2MB

Download
memory/4192-188-0x000000000B070000-0x000000000B0C0000-memory.dmp

Filesize
320KB

Download
memory/4192-185-0x000000000B8A0000-0x000000000BA62000-memory.dmp

Filesize
1.8MB

Download
memory/4192-179-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/4192-178-0x0000000009F30000-0x0000000009F6C000-memory.dmp

Filesize
240KB

Download
memory/4192-177-0x0000000009ED0000-0x0000000009EE2000-memory.dmp

Filesize
72KB

Download
memory/4192-176-0x0000000009F90000-0x000000000A09A000-memory.dmp

Filesize
1.0MB

Download
memory/4192-175-0x000000000A410000-0x000000000AA28000-memory.dmp

Filesize
6.1MB

Download
memory/4192-174-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download