redline | 5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4

Analysis

max time kernel
120s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe
Size

770KB
MD5

5f531e370db582bbd71e8eb1a998a4a8
SHA1

28729b19e7803eb5270e27b233f77ef3e700dc41
SHA256

5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4
SHA512

d80e76a37dca5f63d693c05c5dfc7d4094e5dfbfac9082bcaca5f618ad902c314a705a8acc4e89f1c7a673e4d1ee2461edf8127c29512aa866364c5fa8a0c70f
SSDEEP

12288:uMrLy90MUuLlxq7wWz2CcAPZFdMtx3JVFeRcaT313jsVrXAeHzA7JdhZDdQdT:9y/UgU2NARY5VFgcOl3jsV5HoJdHI

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea7652543.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7652543.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7652543.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7652543.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7652543.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7652543.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7652543.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7568715.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	d7568715.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v6647589.exev5160877.exev3599670.exea7652543.exeb7051425.exec7984259.exed7568715.exelamod.exee2996584.exelamod.exelamod.exe

pid	process
1920	v6647589.exe
2180	v5160877.exe
4572	v3599670.exe
4544	a7652543.exe
2264	b7051425.exe
540	c7984259.exe
4848	d7568715.exe
4680	lamod.exe
2856	e2996584.exe
3680	lamod.exe
4480	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5112 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7652543.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7652543.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5112	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7652543.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v3599670.exe5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exev6647589.exev5160877.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3599670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3599670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6647589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6647589.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5160877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5160877.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b7051425.exee2996584.exe

description	pid	process	target process
PID 2264 set thread context of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2856 set thread context of 3468	2856	e2996584.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

208 2264 WerFault.exe b7051425.exe
1580 2856 WerFault.exe e2996584.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a7652543.exeAppLaunch.exec7984259.exeAppLaunch.exe

pid process

4544 a7652543.exe
4544 a7652543.exe
5072 AppLaunch.exe
5072 AppLaunch.exe
540 c7984259.exe
540 c7984259.exe
3468 AppLaunch.exe
3468 AppLaunch.exe

pid	pid_target	process	target process
208	2264	WerFault.exe	b7051425.exe
1580	2856	WerFault.exe	e2996584.exe

pid	process
2552	schtasks.exe

pid	process
4544	a7652543.exe
4544	a7652543.exe
5072	AppLaunch.exe
5072	AppLaunch.exe
540	c7984259.exe
540	c7984259.exe
3468	AppLaunch.exe
3468	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7652543.exeAppLaunch.exec7984259.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4544	a7652543.exe
Token: SeDebugPrivilege	5072	AppLaunch.exe
Token: SeDebugPrivilege	540	c7984259.exe
Token: SeDebugPrivilege	3468	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d7568715.exe

pid process

4848 d7568715.exe

pid	process
4848	d7568715.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exev6647589.exev5160877.exev3599670.exeb7051425.exed7568715.exelamod.exee2996584.execmd.exe

description	pid	process	target process
PID 1812 wrote to memory of 1920	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	v6647589.exe
PID 1812 wrote to memory of 1920	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	v6647589.exe
PID 1812 wrote to memory of 1920	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	v6647589.exe
PID 1920 wrote to memory of 2180	1920	v6647589.exe	v5160877.exe
PID 1920 wrote to memory of 2180	1920	v6647589.exe	v5160877.exe
PID 1920 wrote to memory of 2180	1920	v6647589.exe	v5160877.exe
PID 2180 wrote to memory of 4572	2180	v5160877.exe	v3599670.exe
PID 2180 wrote to memory of 4572	2180	v5160877.exe	v3599670.exe
PID 2180 wrote to memory of 4572	2180	v5160877.exe	v3599670.exe
PID 4572 wrote to memory of 4544	4572	v3599670.exe	a7652543.exe
PID 4572 wrote to memory of 4544	4572	v3599670.exe	a7652543.exe
PID 4572 wrote to memory of 2264	4572	v3599670.exe	b7051425.exe
PID 4572 wrote to memory of 2264	4572	v3599670.exe	b7051425.exe
PID 4572 wrote to memory of 2264	4572	v3599670.exe	b7051425.exe
PID 2264 wrote to memory of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2264 wrote to memory of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2264 wrote to memory of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2264 wrote to memory of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2264 wrote to memory of 5072	2264	b7051425.exe	AppLaunch.exe
PID 2180 wrote to memory of 540	2180	v5160877.exe	c7984259.exe
PID 2180 wrote to memory of 540	2180	v5160877.exe	c7984259.exe
PID 2180 wrote to memory of 540	2180	v5160877.exe	c7984259.exe
PID 1920 wrote to memory of 4848	1920	v6647589.exe	d7568715.exe
PID 1920 wrote to memory of 4848	1920	v6647589.exe	d7568715.exe
PID 1920 wrote to memory of 4848	1920	v6647589.exe	d7568715.exe
PID 4848 wrote to memory of 4680	4848	d7568715.exe	lamod.exe
PID 4848 wrote to memory of 4680	4848	d7568715.exe	lamod.exe
PID 4848 wrote to memory of 4680	4848	d7568715.exe	lamod.exe
PID 1812 wrote to memory of 2856	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	e2996584.exe
PID 1812 wrote to memory of 2856	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	e2996584.exe
PID 1812 wrote to memory of 2856	1812	5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe	e2996584.exe
PID 4680 wrote to memory of 2552	4680	lamod.exe	schtasks.exe
PID 4680 wrote to memory of 2552	4680	lamod.exe	schtasks.exe
PID 4680 wrote to memory of 2552	4680	lamod.exe	schtasks.exe
PID 4680 wrote to memory of 544	4680	lamod.exe	cmd.exe
PID 4680 wrote to memory of 544	4680	lamod.exe	cmd.exe
PID 4680 wrote to memory of 544	4680	lamod.exe	cmd.exe
PID 2856 wrote to memory of 3468	2856	e2996584.exe	AppLaunch.exe
PID 2856 wrote to memory of 3468	2856	e2996584.exe	AppLaunch.exe
PID 2856 wrote to memory of 3468	2856	e2996584.exe	AppLaunch.exe
PID 544 wrote to memory of 3512	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 3512	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 3512	544	cmd.exe	cmd.exe
PID 2856 wrote to memory of 3468	2856	e2996584.exe	AppLaunch.exe
PID 2856 wrote to memory of 3468	2856	e2996584.exe	AppLaunch.exe
PID 544 wrote to memory of 4196	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 4196	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 4196	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 4200	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 4200	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 4200	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 1320	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 1320	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 1320	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 5080	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 5080	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 5080	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 524	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 524	544	cmd.exe	cacls.exe
PID 544 wrote to memory of 524	544	cmd.exe	cacls.exe
PID 4680 wrote to memory of 5112	4680	lamod.exe	rundll32.exe
PID 4680 wrote to memory of 5112	4680	lamod.exe	rundll32.exe
PID 4680 wrote to memory of 5112	4680	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe
"C:\Users\Admin\AppData\Local\Temp\5ce4f29786490884de8ff50e887a3fb91267d93a1408745fc2f8f7a0c036a8b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6647589.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6647589.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5160877.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5160877.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3599670.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3599670.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7652543.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7652543.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7051425.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7051425.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 160
6⤵
- Program crash
PID:208

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7984259.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7984259.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7568715.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7568715.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:2552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3512

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:4196

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1320

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5080

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2996584.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2996584.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 152
3⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2264 -ip 2264
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2856 -ip 2856
1⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2996584.exe

Filesize
308KB

MD5
eef0604296931adc3cf98267479df4b1

SHA1
57fe9c004363c710f3adc9cc368f207710a2577d

SHA256
05a434971087defa8a9df26490bc42cc31c2327a313c44c047a92254fb991562

SHA512
7e20206965a4e66b48cfe276995ed23e6f521cc52d7ccbf18f3c5e6ac5973dfbc521aa9d9c675be3c19283b15b54a0727092d9a07d04b1c266957ff443459d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2996584.exe

Filesize
308KB

MD5
eef0604296931adc3cf98267479df4b1

SHA1
57fe9c004363c710f3adc9cc368f207710a2577d

SHA256
05a434971087defa8a9df26490bc42cc31c2327a313c44c047a92254fb991562

SHA512
7e20206965a4e66b48cfe276995ed23e6f521cc52d7ccbf18f3c5e6ac5973dfbc521aa9d9c675be3c19283b15b54a0727092d9a07d04b1c266957ff443459d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6647589.exe

Filesize
547KB

MD5
88efafa26fb16bfa5279ccfd9e9b9200

SHA1
734a1a55773f15eb3b2378495b51c934ff178435

SHA256
2c6aa9eba915fc58a93c4df5c6b5007840237088f823fa493d9fcc31ae39fb18

SHA512
ce5742fd751a5c43cf56ad60afb0187ae8287d696818c21f575b77974f6012a855a9b1cb6eaefab738d25918c63d970d3d798e60b8c1b1f869709a0a540ffe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6647589.exe

Filesize
547KB

MD5
88efafa26fb16bfa5279ccfd9e9b9200

SHA1
734a1a55773f15eb3b2378495b51c934ff178435

SHA256
2c6aa9eba915fc58a93c4df5c6b5007840237088f823fa493d9fcc31ae39fb18

SHA512
ce5742fd751a5c43cf56ad60afb0187ae8287d696818c21f575b77974f6012a855a9b1cb6eaefab738d25918c63d970d3d798e60b8c1b1f869709a0a540ffe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7568715.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7568715.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5160877.exe

Filesize
375KB

MD5
3a09e3318f8acac6584021ff1c4743ea

SHA1
bbd8c92679d6c7d11e88fbe2dd9fbba0eac2991f

SHA256
2eb6aa43dd48d6d4883400d087ace1c3ad14493075cd3e05ae65025b2827ad49

SHA512
6eed778661a337961a67625a05372de171cf151289d7ad06e6dbfd837bf79135a20aec49cea438a26e5c5f31fde8fa098082c21cb05ad5395b0f4900d4a69a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5160877.exe

Filesize
375KB

MD5
3a09e3318f8acac6584021ff1c4743ea

SHA1
bbd8c92679d6c7d11e88fbe2dd9fbba0eac2991f

SHA256
2eb6aa43dd48d6d4883400d087ace1c3ad14493075cd3e05ae65025b2827ad49

SHA512
6eed778661a337961a67625a05372de171cf151289d7ad06e6dbfd837bf79135a20aec49cea438a26e5c5f31fde8fa098082c21cb05ad5395b0f4900d4a69a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7984259.exe

Filesize
172KB

MD5
cdfcad9f2b1b6f334ce074376437ac6c

SHA1
a802a8a92dd4c73649171c1c83f57d8082ac7eb8

SHA256
912a99ab3616afa554e22fbec4fd7effeaff2bd12c462c2fe526808c8c185d96

SHA512
1d2b2eca1d9148acf8170ab351007a84bbfe44ef44203cbba4abae5d9107c41ba414ae1f63edfe5bb76b81aa45c7dce457dd64ac785dec8f73d86f4e85cdb8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7984259.exe

Filesize
172KB

MD5
cdfcad9f2b1b6f334ce074376437ac6c

SHA1
a802a8a92dd4c73649171c1c83f57d8082ac7eb8

SHA256
912a99ab3616afa554e22fbec4fd7effeaff2bd12c462c2fe526808c8c185d96

SHA512
1d2b2eca1d9148acf8170ab351007a84bbfe44ef44203cbba4abae5d9107c41ba414ae1f63edfe5bb76b81aa45c7dce457dd64ac785dec8f73d86f4e85cdb8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3599670.exe

Filesize
220KB

MD5
9af6248fdfe0abacc57339ac02a0be3c

SHA1
ef8fba097cbadf25354fc00e71fc5ca0b6aa9a9a

SHA256
01e746aa9f0333c865550cdd4046e6cb20167a73ecc701e056122b105c933076

SHA512
2af97dce296c1d829fc6ccb391831fc6d2fd98d757084f72fa35cff37070425ba864f73b3f5c578ecfddc74ebacb6581f87b4dc1c7ed203b619e19d57553be32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3599670.exe

Filesize
220KB

MD5
9af6248fdfe0abacc57339ac02a0be3c

SHA1
ef8fba097cbadf25354fc00e71fc5ca0b6aa9a9a

SHA256
01e746aa9f0333c865550cdd4046e6cb20167a73ecc701e056122b105c933076

SHA512
2af97dce296c1d829fc6ccb391831fc6d2fd98d757084f72fa35cff37070425ba864f73b3f5c578ecfddc74ebacb6581f87b4dc1c7ed203b619e19d57553be32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7652543.exe

Filesize
14KB

MD5
b15c3e44debb4b53b9425736a299a052

SHA1
c17f6d11c99707556884b70b856de940bcdc679b

SHA256
732716e928ad710445d156bc642b81f76667551f6caf31f34e5c39ae6ec5430e

SHA512
f334f038dfccdd422dea52e9d9b88004ea6fa052d55d8c04e258ac7faecf9797b07a56b9c31645521ad4e69017025107a1082d7f42aaaafa9bcc0ed0440dda9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7652543.exe

Filesize
14KB

MD5
b15c3e44debb4b53b9425736a299a052

SHA1
c17f6d11c99707556884b70b856de940bcdc679b

SHA256
732716e928ad710445d156bc642b81f76667551f6caf31f34e5c39ae6ec5430e

SHA512
f334f038dfccdd422dea52e9d9b88004ea6fa052d55d8c04e258ac7faecf9797b07a56b9c31645521ad4e69017025107a1082d7f42aaaafa9bcc0ed0440dda9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7051425.exe

Filesize
147KB

MD5
b26c00691a9181443c031933fae6c499

SHA1
3f3a5a5f1deffd1dbf4bdfe6403a3ac7c224f21f

SHA256
08e2448bde748fd936e9fcb6b951f3f8a228ae9eee9595e3c4f3103311792eb5

SHA512
a274c1f9dcba5cd6ce7fae69286305acffe65f3f222c479913a494f96044753499d7098ca93a28f0e5cb92ddb6a576ad1ce1d0810f4b671937748953d86cae0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7051425.exe

Filesize
147KB

MD5
b26c00691a9181443c031933fae6c499

SHA1
3f3a5a5f1deffd1dbf4bdfe6403a3ac7c224f21f

SHA256
08e2448bde748fd936e9fcb6b951f3f8a228ae9eee9595e3c4f3103311792eb5

SHA512
a274c1f9dcba5cd6ce7fae69286305acffe65f3f222c479913a494f96044753499d7098ca93a28f0e5cb92ddb6a576ad1ce1d0810f4b671937748953d86cae0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
66f75cbbd8dee8094da58e3ae4807df2

SHA1
f6761198df764fe33bf7b76953f02888f5cf91b2

SHA256
6fde923aee9800cefcf2fed17fd4041bf01aac416cd9dbd052861213eafc693f

SHA512
d2e722d1021a18e9ccbbd92c932b9c05f9a037f56f3677cb2635021a86114fb86b16c1e023f4cd2a151f3d746ca97a6a5f1e4e1f57029b246b08a207ab456656

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/540-182-0x000000000B2E0000-0x000000000B884000-memory.dmp

Filesize
5.6MB

Download
memory/540-176-0x000000000A290000-0x000000000A39A000-memory.dmp

Filesize
1.0MB

Download
memory/540-187-0x000000000BB60000-0x000000000BD22000-memory.dmp

Filesize
1.8MB

Download
memory/540-186-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/540-185-0x000000000B280000-0x000000000B2D0000-memory.dmp

Filesize
320KB

Download
memory/540-183-0x000000000AD30000-0x000000000AD96000-memory.dmp

Filesize
408KB

Download
memory/540-181-0x000000000A660000-0x000000000A6F2000-memory.dmp

Filesize
584KB

Download
memory/540-180-0x000000000A540000-0x000000000A5B6000-memory.dmp

Filesize
472KB

Download
memory/540-179-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/540-174-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/540-178-0x000000000A230000-0x000000000A26C000-memory.dmp

Filesize
240KB

Download
memory/540-175-0x000000000A710000-0x000000000AD28000-memory.dmp

Filesize
6.1MB

Download
memory/540-177-0x000000000A1D0000-0x000000000A1E2000-memory.dmp

Filesize
72KB

Download
memory/540-188-0x000000000C260000-0x000000000C78C000-memory.dmp

Filesize
5.2MB

Download
memory/3468-212-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3468-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4544-161-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/5072-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download