redline | 22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe
Size

772KB
MD5

c8d1356a78ba15394714fcbcd58a4c7c
SHA1

29f4a3aa1793165054707bd7f577aa41ddcdcc74
SHA256

22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b
SHA512

8e933e57e31759d6cf71859f51efb253544f7f613e3ca9edbbc93779c2e417a73388f5a4f7f7a3751536e1918efa2c1cfb192b86cbb2cc2200436f7f9e53a201
SSDEEP

24576:3y/SA0NfEUve88RUcBMESkb3xwEqsb21Ia:C6AkcYeLXwEqsb2S

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1238484.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1238484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1238484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1238484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1238484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1238484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1238484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3309361.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	d3309361.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v6212218.exev2431644.exev5498823.exea1238484.exeb0613984.exec4280356.exed3309361.exelamod.exee0598451.exelamod.exelamod.exe

pid	process
2840	v6212218.exe
3456	v2431644.exe
208	v5498823.exe
5064	a1238484.exe
512	b0613984.exe
4604	c4280356.exe
1656	d3309361.exe
4812	lamod.exe
4836	e0598451.exe
2548	lamod.exe
4840	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1238484.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1238484.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1972	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1238484.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2431644.exev5498823.exe22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exev6212218.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2431644.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5498823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5498823.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6212218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6212218.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2431644.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b0613984.exee0598451.exe

description	pid	process	target process
PID 512 set thread context of 700	512	b0613984.exe	AppLaunch.exe
PID 4836 set thread context of 3312	4836	e0598451.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3996 512 WerFault.exe b0613984.exe
772 4836 WerFault.exe e0598451.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5084 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a1238484.exeAppLaunch.exec4280356.exeAppLaunch.exe

pid process

5064 a1238484.exe
5064 a1238484.exe
700 AppLaunch.exe
700 AppLaunch.exe
4604 c4280356.exe
4604 c4280356.exe
3312 AppLaunch.exe
3312 AppLaunch.exe

pid	pid_target	process	target process
3996	512	WerFault.exe	b0613984.exe
772	4836	WerFault.exe	e0598451.exe

pid	process
5084	schtasks.exe

pid	process
5064	a1238484.exe
5064	a1238484.exe
700	AppLaunch.exe
700	AppLaunch.exe
4604	c4280356.exe
4604	c4280356.exe
3312	AppLaunch.exe
3312	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a1238484.exeAppLaunch.exec4280356.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5064	a1238484.exe
Token: SeDebugPrivilege	700	AppLaunch.exe
Token: SeDebugPrivilege	4604	c4280356.exe
Token: SeDebugPrivilege	3312	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d3309361.exe

pid process

1656 d3309361.exe

pid	process
1656	d3309361.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exev6212218.exev2431644.exev5498823.exeb0613984.exed3309361.exelamod.execmd.exee0598451.exe

description	pid	process	target process
PID 2828 wrote to memory of 2840	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	v6212218.exe
PID 2828 wrote to memory of 2840	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	v6212218.exe
PID 2828 wrote to memory of 2840	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	v6212218.exe
PID 2840 wrote to memory of 3456	2840	v6212218.exe	v2431644.exe
PID 2840 wrote to memory of 3456	2840	v6212218.exe	v2431644.exe
PID 2840 wrote to memory of 3456	2840	v6212218.exe	v2431644.exe
PID 3456 wrote to memory of 208	3456	v2431644.exe	v5498823.exe
PID 3456 wrote to memory of 208	3456	v2431644.exe	v5498823.exe
PID 3456 wrote to memory of 208	3456	v2431644.exe	v5498823.exe
PID 208 wrote to memory of 5064	208	v5498823.exe	a1238484.exe
PID 208 wrote to memory of 5064	208	v5498823.exe	a1238484.exe
PID 208 wrote to memory of 512	208	v5498823.exe	b0613984.exe
PID 208 wrote to memory of 512	208	v5498823.exe	b0613984.exe
PID 208 wrote to memory of 512	208	v5498823.exe	b0613984.exe
PID 512 wrote to memory of 700	512	b0613984.exe	AppLaunch.exe
PID 512 wrote to memory of 700	512	b0613984.exe	AppLaunch.exe
PID 512 wrote to memory of 700	512	b0613984.exe	AppLaunch.exe
PID 512 wrote to memory of 700	512	b0613984.exe	AppLaunch.exe
PID 512 wrote to memory of 700	512	b0613984.exe	AppLaunch.exe
PID 3456 wrote to memory of 4604	3456	v2431644.exe	c4280356.exe
PID 3456 wrote to memory of 4604	3456	v2431644.exe	c4280356.exe
PID 3456 wrote to memory of 4604	3456	v2431644.exe	c4280356.exe
PID 2840 wrote to memory of 1656	2840	v6212218.exe	d3309361.exe
PID 2840 wrote to memory of 1656	2840	v6212218.exe	d3309361.exe
PID 2840 wrote to memory of 1656	2840	v6212218.exe	d3309361.exe
PID 1656 wrote to memory of 4812	1656	d3309361.exe	lamod.exe
PID 1656 wrote to memory of 4812	1656	d3309361.exe	lamod.exe
PID 1656 wrote to memory of 4812	1656	d3309361.exe	lamod.exe
PID 2828 wrote to memory of 4836	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	e0598451.exe
PID 2828 wrote to memory of 4836	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	e0598451.exe
PID 2828 wrote to memory of 4836	2828	22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe	e0598451.exe
PID 4812 wrote to memory of 5084	4812	lamod.exe	schtasks.exe
PID 4812 wrote to memory of 5084	4812	lamod.exe	schtasks.exe
PID 4812 wrote to memory of 5084	4812	lamod.exe	schtasks.exe
PID 4812 wrote to memory of 3944	4812	lamod.exe	cmd.exe
PID 4812 wrote to memory of 3944	4812	lamod.exe	cmd.exe
PID 4812 wrote to memory of 3944	4812	lamod.exe	cmd.exe
PID 3944 wrote to memory of 620	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 620	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 620	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 3664	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 3664	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 3664	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 3492	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 3492	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 3492	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 1248	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 1248	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 1248	3944	cmd.exe	cmd.exe
PID 3944 wrote to memory of 4700	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 4700	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 4700	3944	cmd.exe	cacls.exe
PID 4836 wrote to memory of 3312	4836	e0598451.exe	AppLaunch.exe
PID 4836 wrote to memory of 3312	4836	e0598451.exe	AppLaunch.exe
PID 4836 wrote to memory of 3312	4836	e0598451.exe	AppLaunch.exe
PID 4836 wrote to memory of 3312	4836	e0598451.exe	AppLaunch.exe
PID 4836 wrote to memory of 3312	4836	e0598451.exe	AppLaunch.exe
PID 3944 wrote to memory of 2524	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 2524	3944	cmd.exe	cacls.exe
PID 3944 wrote to memory of 2524	3944	cmd.exe	cacls.exe
PID 4812 wrote to memory of 1972	4812	lamod.exe	rundll32.exe
PID 4812 wrote to memory of 1972	4812	lamod.exe	rundll32.exe
PID 4812 wrote to memory of 1972	4812	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe
"C:\Users\Admin\AppData\Local\Temp\22585fca1b59216a1b6a1b0055eddd1c0b7bd07049e41678d63e5b1e914f755b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6212218.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6212218.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2431644.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2431644.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5498823.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5498823.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1238484.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1238484.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0613984.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0613984.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 152
6⤵
- Program crash
PID:3996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4280356.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4280356.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3309361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3309361.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:620

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:3664

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1248

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4700

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0598451.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0598451.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 148
3⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 512 -ip 512
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 4836
1⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0598451.exe

Filesize
309KB

MD5
bfc7b4997d19d31ea7394555618a0a6a

SHA1
7868e618f319e2633b9f3c7f29796534ceb1890d

SHA256
5e7b735be566e99f329c43aa9fe39621fa81a7551d15d77864b71bd4a0be4262

SHA512
384dd943e907cb5f511d1fb6831e4a559b4f8acec7e62eee021c785379aa662041551560a78af9fc04515a39bb1772ee9abda5468dcf3f13ab99946911bd279e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0598451.exe

Filesize
309KB

MD5
bfc7b4997d19d31ea7394555618a0a6a

SHA1
7868e618f319e2633b9f3c7f29796534ceb1890d

SHA256
5e7b735be566e99f329c43aa9fe39621fa81a7551d15d77864b71bd4a0be4262

SHA512
384dd943e907cb5f511d1fb6831e4a559b4f8acec7e62eee021c785379aa662041551560a78af9fc04515a39bb1772ee9abda5468dcf3f13ab99946911bd279e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6212218.exe

Filesize
548KB

MD5
c7f9db0320d6086a74cec4f15064234b

SHA1
9d7ec1803417b2c9fb67ddeb8cebc556ad82bb8b

SHA256
8cc4c59f9e8ec04287e71596d91977ab59a1cc854ec9fc6cf294c65821aa76df

SHA512
07aece58af467d5c614973eb0bee36df0bd7b7a337bab0037c7bb83678d1c76ff5766be25af93258c78fc48be04fd283e04c5ee99e78bd387782e822f9fd889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6212218.exe

Filesize
548KB

MD5
c7f9db0320d6086a74cec4f15064234b

SHA1
9d7ec1803417b2c9fb67ddeb8cebc556ad82bb8b

SHA256
8cc4c59f9e8ec04287e71596d91977ab59a1cc854ec9fc6cf294c65821aa76df

SHA512
07aece58af467d5c614973eb0bee36df0bd7b7a337bab0037c7bb83678d1c76ff5766be25af93258c78fc48be04fd283e04c5ee99e78bd387782e822f9fd889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3309361.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3309361.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2431644.exe

Filesize
376KB

MD5
7dc96f53fab1174be35d5259bc4a4371

SHA1
5bc15cd84650588d5f4100ee5c3e78a15224a2ed

SHA256
68b132015d379141c932e54a92b6c492c37f0eb3c4cd3a61de43c8a0a91bb25b

SHA512
ee021c4daffb1a09d14ed85f395455fae45b34c064bfe1bbd36a0c70ec3edda8718b0e2f2c4a07ff0ecfe610505480d6d351a5d7b4180d9a6e12c5c23ac78452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2431644.exe

Filesize
376KB

MD5
7dc96f53fab1174be35d5259bc4a4371

SHA1
5bc15cd84650588d5f4100ee5c3e78a15224a2ed

SHA256
68b132015d379141c932e54a92b6c492c37f0eb3c4cd3a61de43c8a0a91bb25b

SHA512
ee021c4daffb1a09d14ed85f395455fae45b34c064bfe1bbd36a0c70ec3edda8718b0e2f2c4a07ff0ecfe610505480d6d351a5d7b4180d9a6e12c5c23ac78452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4280356.exe

Filesize
172KB

MD5
9882af512355c9f311fcc75b85bb59f4

SHA1
86e421448c8f97e5a022e7011cfb1ab8404bbc06

SHA256
32b91d5faa4efb6aca392aad4cbbf60dd74fd6ff5a388fc0d6eed0bc71fe6766

SHA512
4289167c1c16c6efdf165a2fe4f874f4d94647f61a7b9b961d9cf31c79c5867667da623fcb7d11387b0fca4e61352bcd52400a35e2d65211f1e6fea57c1c0300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4280356.exe

Filesize
172KB

MD5
9882af512355c9f311fcc75b85bb59f4

SHA1
86e421448c8f97e5a022e7011cfb1ab8404bbc06

SHA256
32b91d5faa4efb6aca392aad4cbbf60dd74fd6ff5a388fc0d6eed0bc71fe6766

SHA512
4289167c1c16c6efdf165a2fe4f874f4d94647f61a7b9b961d9cf31c79c5867667da623fcb7d11387b0fca4e61352bcd52400a35e2d65211f1e6fea57c1c0300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5498823.exe

Filesize
221KB

MD5
248ca9ead12f3868da9fe8b4c4595b8f

SHA1
d4e5730bd7270c0027e92f36a9ee73d9ceaab2a9

SHA256
b87aa71b98bfecf1fd05ccd5bd6e0ab573d3cc2111e34b6a1069313c302e26f0

SHA512
ff345ccfa9fa344475fd1f1eb2354910f2d8d6c94c337ff00eaeac1be401bbc7726df68d7bef82a4eb791a1b54012cf0d0c7d58ebc61e954d64686c1f856d1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5498823.exe

Filesize
221KB

MD5
248ca9ead12f3868da9fe8b4c4595b8f

SHA1
d4e5730bd7270c0027e92f36a9ee73d9ceaab2a9

SHA256
b87aa71b98bfecf1fd05ccd5bd6e0ab573d3cc2111e34b6a1069313c302e26f0

SHA512
ff345ccfa9fa344475fd1f1eb2354910f2d8d6c94c337ff00eaeac1be401bbc7726df68d7bef82a4eb791a1b54012cf0d0c7d58ebc61e954d64686c1f856d1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1238484.exe

Filesize
14KB

MD5
e1c18768b5fd66c791beb4206d959628

SHA1
ebf859056452de47aafc9857cb9a7c159c206c4f

SHA256
e71eae8726bedcfc3f514816296fa7dd8bb3f78d43795a7b2a48703ae2f7bd6e

SHA512
bf9427c0f8da06c03aae6b2aa5de631246353b96f472f0877324195bb3349b49a73230e3f0183e8dcc1915cfbb92913bbd74349f61f4e89478944e3651ac90bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1238484.exe

Filesize
14KB

MD5
e1c18768b5fd66c791beb4206d959628

SHA1
ebf859056452de47aafc9857cb9a7c159c206c4f

SHA256
e71eae8726bedcfc3f514816296fa7dd8bb3f78d43795a7b2a48703ae2f7bd6e

SHA512
bf9427c0f8da06c03aae6b2aa5de631246353b96f472f0877324195bb3349b49a73230e3f0183e8dcc1915cfbb92913bbd74349f61f4e89478944e3651ac90bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0613984.exe

Filesize
148KB

MD5
2d3fbb3618d50d6eee62fee86294f915

SHA1
d023d0de43b0d3fe93a4616d5281b293c3fe0c0e

SHA256
3acaecc966985de80a2becd4a51a872702b90374436716d87115bec4d245e68a

SHA512
810cec3e49e8330d2068d06e76423827246b3cf38138fb70a7ba237f15185627355b3b226d63814380648f66fe7ee2406754b9a5ea7217319a9efd4e466fcf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0613984.exe

Filesize
148KB

MD5
2d3fbb3618d50d6eee62fee86294f915

SHA1
d023d0de43b0d3fe93a4616d5281b293c3fe0c0e

SHA256
3acaecc966985de80a2becd4a51a872702b90374436716d87115bec4d245e68a

SHA512
810cec3e49e8330d2068d06e76423827246b3cf38138fb70a7ba237f15185627355b3b226d63814380648f66fe7ee2406754b9a5ea7217319a9efd4e466fcf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
83381cfc19d6878e03ef65aa3037821b

SHA1
74732b78c933fb52aa9f47aadcbaec8d4f763007

SHA256
a7dfa4007b11162a855d01be9e5b843bf074dc08d25e5a56e2779e17356423a4

SHA512
fbef2e5e7d4a4a72c12c1b6fe08ea0c805f4595924e8aa1047e968264157bc92478c0f40ac8b9287461ccda1bfb812c38575c45a5a2fabd63b5bcccd3bcbbab1

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/700-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3312-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-212-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4604-183-0x000000000AE60000-0x000000000AEC6000-memory.dmp

Filesize
408KB

Download
memory/4604-179-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4604-188-0x000000000C290000-0x000000000C7BC000-memory.dmp

Filesize
5.2MB

Download
memory/4604-182-0x000000000B410000-0x000000000B9B4000-memory.dmp

Filesize
5.6MB

Download
memory/4604-181-0x000000000ADC0000-0x000000000AE52000-memory.dmp

Filesize
584KB

Download
memory/4604-180-0x000000000A630000-0x000000000A6A6000-memory.dmp

Filesize
472KB

Download
memory/4604-186-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4604-185-0x000000000B350000-0x000000000B3A0000-memory.dmp

Filesize
320KB

Download
memory/4604-187-0x000000000BB90000-0x000000000BD52000-memory.dmp

Filesize
1.8MB

Download
memory/4604-178-0x000000000A220000-0x000000000A25C000-memory.dmp

Filesize
240KB

Download
memory/4604-177-0x000000000A1C0000-0x000000000A1D2000-memory.dmp

Filesize
72KB

Download
memory/4604-176-0x000000000A280000-0x000000000A38A000-memory.dmp

Filesize
1.0MB

Download
memory/4604-175-0x000000000A700000-0x000000000AD18000-memory.dmp

Filesize
6.1MB

Download
memory/4604-174-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/5064-161-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download