redline | 7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6

Analysis

max time kernel
123s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe
Size

770KB
MD5

07ba139d963e5778120ef3ac3f30d0c0
SHA1

35c2e2d5b678da32203a026bb12dfcf8a952b043
SHA256

7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6
SHA512

19850f07d1e3acf5f60f93e32570696558de174d53ebaf1dd957ab4919a0ece4039cb8428c69c88846793cff18985b3803e023fa5cec0b4ba1dfc6b7a7f83848
SSDEEP

24576:pyiOX9l8rTUD7itfYicfMsZHBOOOaCDRYu+:cFTmTUD+FIf1IT

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3745608.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3745608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3745608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3745608.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3745608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3745608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3745608.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7106746.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	d7106746.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v6986446.exev2407730.exev9920736.exea3745608.exeb8965370.exec0811687.exed7106746.exelamod.exee5613797.exelamod.exelamod.exe

pid	process
3616	v6986446.exe
4752	v2407730.exe
388	v9920736.exe
3464	a3745608.exe
3100	b8965370.exe
2484	c0811687.exe
3076	d7106746.exe
3224	lamod.exe
4260	e5613797.exe
3392	lamod.exe
4332	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3960 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3745608.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3745608.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3960	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3745608.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exev6986446.exev2407730.exev9920736.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6986446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6986446.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2407730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2407730.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9920736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9920736.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b8965370.exee5613797.exe

description	pid	process	target process
PID 3100 set thread context of 3452	3100	b8965370.exe	AppLaunch.exe
PID 4260 set thread context of 1260	4260	e5613797.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2896 3100 WerFault.exe b8965370.exe
1864 4260 WerFault.exe e5613797.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3456 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a3745608.exeAppLaunch.exec0811687.exeAppLaunch.exe

pid process

3464 a3745608.exe
3464 a3745608.exe
3452 AppLaunch.exe
3452 AppLaunch.exe
2484 c0811687.exe
2484 c0811687.exe
1260 AppLaunch.exe
1260 AppLaunch.exe

pid	pid_target	process	target process
2896	3100	WerFault.exe	b8965370.exe
1864	4260	WerFault.exe	e5613797.exe

pid	process
3456	schtasks.exe

pid	process
3464	a3745608.exe
3464	a3745608.exe
3452	AppLaunch.exe
3452	AppLaunch.exe
2484	c0811687.exe
2484	c0811687.exe
1260	AppLaunch.exe
1260	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a3745608.exeAppLaunch.exec0811687.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3464	a3745608.exe
Token: SeDebugPrivilege	3452	AppLaunch.exe
Token: SeDebugPrivilege	2484	c0811687.exe
Token: SeDebugPrivilege	1260	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d7106746.exe

pid process

3076 d7106746.exe

pid	process
3076	d7106746.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exev6986446.exev2407730.exev9920736.exeb8965370.exed7106746.exelamod.execmd.exee5613797.exe

description	pid	process	target process
PID 1916 wrote to memory of 3616	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	v6986446.exe
PID 1916 wrote to memory of 3616	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	v6986446.exe
PID 1916 wrote to memory of 3616	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	v6986446.exe
PID 3616 wrote to memory of 4752	3616	v6986446.exe	v2407730.exe
PID 3616 wrote to memory of 4752	3616	v6986446.exe	v2407730.exe
PID 3616 wrote to memory of 4752	3616	v6986446.exe	v2407730.exe
PID 4752 wrote to memory of 388	4752	v2407730.exe	v9920736.exe
PID 4752 wrote to memory of 388	4752	v2407730.exe	v9920736.exe
PID 4752 wrote to memory of 388	4752	v2407730.exe	v9920736.exe
PID 388 wrote to memory of 3464	388	v9920736.exe	a3745608.exe
PID 388 wrote to memory of 3464	388	v9920736.exe	a3745608.exe
PID 388 wrote to memory of 3100	388	v9920736.exe	b8965370.exe
PID 388 wrote to memory of 3100	388	v9920736.exe	b8965370.exe
PID 388 wrote to memory of 3100	388	v9920736.exe	b8965370.exe
PID 3100 wrote to memory of 3452	3100	b8965370.exe	AppLaunch.exe
PID 3100 wrote to memory of 3452	3100	b8965370.exe	AppLaunch.exe
PID 3100 wrote to memory of 3452	3100	b8965370.exe	AppLaunch.exe
PID 3100 wrote to memory of 3452	3100	b8965370.exe	AppLaunch.exe
PID 3100 wrote to memory of 3452	3100	b8965370.exe	AppLaunch.exe
PID 4752 wrote to memory of 2484	4752	v2407730.exe	c0811687.exe
PID 4752 wrote to memory of 2484	4752	v2407730.exe	c0811687.exe
PID 4752 wrote to memory of 2484	4752	v2407730.exe	c0811687.exe
PID 3616 wrote to memory of 3076	3616	v6986446.exe	d7106746.exe
PID 3616 wrote to memory of 3076	3616	v6986446.exe	d7106746.exe
PID 3616 wrote to memory of 3076	3616	v6986446.exe	d7106746.exe
PID 3076 wrote to memory of 3224	3076	d7106746.exe	lamod.exe
PID 3076 wrote to memory of 3224	3076	d7106746.exe	lamod.exe
PID 3076 wrote to memory of 3224	3076	d7106746.exe	lamod.exe
PID 1916 wrote to memory of 4260	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	e5613797.exe
PID 1916 wrote to memory of 4260	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	e5613797.exe
PID 1916 wrote to memory of 4260	1916	7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe	e5613797.exe
PID 3224 wrote to memory of 3456	3224	lamod.exe	schtasks.exe
PID 3224 wrote to memory of 3456	3224	lamod.exe	schtasks.exe
PID 3224 wrote to memory of 3456	3224	lamod.exe	schtasks.exe
PID 3224 wrote to memory of 400	3224	lamod.exe	cmd.exe
PID 3224 wrote to memory of 400	3224	lamod.exe	cmd.exe
PID 3224 wrote to memory of 400	3224	lamod.exe	cmd.exe
PID 400 wrote to memory of 4816	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4816	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 4816	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 1912	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 1912	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 1912	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2572	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2572	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2572	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 5048	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 5048	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 5048	400	cmd.exe	cmd.exe
PID 400 wrote to memory of 2116	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2116	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2116	400	cmd.exe	cacls.exe
PID 4260 wrote to memory of 1260	4260	e5613797.exe	AppLaunch.exe
PID 4260 wrote to memory of 1260	4260	e5613797.exe	AppLaunch.exe
PID 4260 wrote to memory of 1260	4260	e5613797.exe	AppLaunch.exe
PID 4260 wrote to memory of 1260	4260	e5613797.exe	AppLaunch.exe
PID 4260 wrote to memory of 1260	4260	e5613797.exe	AppLaunch.exe
PID 400 wrote to memory of 2392	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2392	400	cmd.exe	cacls.exe
PID 400 wrote to memory of 2392	400	cmd.exe	cacls.exe
PID 3224 wrote to memory of 3960	3224	lamod.exe	rundll32.exe
PID 3224 wrote to memory of 3960	3224	lamod.exe	rundll32.exe
PID 3224 wrote to memory of 3960	3224	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe
"C:\Users\Admin\AppData\Local\Temp\7a2fcfdb544c7295eb48618061914c161f77486fd32acc683d95852be4cd5cf6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6986446.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6986446.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2407730.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2407730.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9920736.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9920736.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3745608.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3745608.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8965370.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8965370.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 152
6⤵
- Program crash
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0811687.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0811687.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7106746.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7106746.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:3456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4816

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:1912

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:2116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2392

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5613797.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5613797.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 156
3⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3100 -ip 3100
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4260 -ip 4260
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5613797.exe
Filesize
308KB

MD5
0d9b14df81a535904bbfbf72937b37fb

SHA1
a0a7c8136b6341130e036bb85487a19ebc692ccd

SHA256
a95c6c71ebe6d7eff07afe76d07b7b9afbc0d4da0cad7c21aecfd483ec244aed

SHA512
dc8e1dffb1c30cc682b8ae449dab658de204db79ea6cafba1edcd226eb0b2cd4a401785d36119d5aee37a960705156006ff81fa69eee1cfc50c257eb081f05d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5613797.exe
Filesize
308KB

MD5
0d9b14df81a535904bbfbf72937b37fb

SHA1
a0a7c8136b6341130e036bb85487a19ebc692ccd

SHA256
a95c6c71ebe6d7eff07afe76d07b7b9afbc0d4da0cad7c21aecfd483ec244aed

SHA512
dc8e1dffb1c30cc682b8ae449dab658de204db79ea6cafba1edcd226eb0b2cd4a401785d36119d5aee37a960705156006ff81fa69eee1cfc50c257eb081f05d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6986446.exe
Filesize
548KB

MD5
097ab4ee4c2f8a3abac517c5a97939ce

SHA1
7176bec65964b72ae266b74def3d410f133feb2c

SHA256
4464628fdea2042cbf09419395e8488f95a67054ecc19eae3e083e5a9eb5ed23

SHA512
c4fe99f0ca81245456a8605d8a2b4789e69f073276167bbd84e79151809a91f5964826c5a22315e5c82bcc199eadb40c13d42a3f723e4386017e3f4d7998ffca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6986446.exe
Filesize
548KB

MD5
097ab4ee4c2f8a3abac517c5a97939ce

SHA1
7176bec65964b72ae266b74def3d410f133feb2c

SHA256
4464628fdea2042cbf09419395e8488f95a67054ecc19eae3e083e5a9eb5ed23

SHA512
c4fe99f0ca81245456a8605d8a2b4789e69f073276167bbd84e79151809a91f5964826c5a22315e5c82bcc199eadb40c13d42a3f723e4386017e3f4d7998ffca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7106746.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7106746.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2407730.exe
Filesize
376KB

MD5
0d26dca97fef6ebcef6225d1a6ca29ea

SHA1
0111b4479c851d8586e0f008d60094d76f6bba1a

SHA256
5479ac76c8fbfcd7b7f4b26c4f3b7f12b2b0e27de07bca9a76e695812fd2fe4e

SHA512
fa2da6872e0f761b1a88f3dd4a74d0f93f476171c1f91bf3c177cd79a77816e3f5f0a5b6429500b2b95f0f19d8e18e44b0e5509c3ac0b08447e267c59464649a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2407730.exe
Filesize
376KB

MD5
0d26dca97fef6ebcef6225d1a6ca29ea

SHA1
0111b4479c851d8586e0f008d60094d76f6bba1a

SHA256
5479ac76c8fbfcd7b7f4b26c4f3b7f12b2b0e27de07bca9a76e695812fd2fe4e

SHA512
fa2da6872e0f761b1a88f3dd4a74d0f93f476171c1f91bf3c177cd79a77816e3f5f0a5b6429500b2b95f0f19d8e18e44b0e5509c3ac0b08447e267c59464649a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0811687.exe
Filesize
172KB

MD5
be7353a62b61a58664cd9b2976260faa

SHA1
a562f1ade900e75cf33f3ac38d00607b0a50d601

SHA256
0017d308e7fbe998a137faeb81c5415f9cd1346fb6046c9d7d2ae6bd0d3a607b

SHA512
36409ab3acee76310eb4378b2ee900388a4151b54dd4742e62a09f5762650528228734075d81394c171105c3b858e104daee5d398ca0afdf12e46d4e8bd5a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0811687.exe
Filesize
172KB

MD5
be7353a62b61a58664cd9b2976260faa

SHA1
a562f1ade900e75cf33f3ac38d00607b0a50d601

SHA256
0017d308e7fbe998a137faeb81c5415f9cd1346fb6046c9d7d2ae6bd0d3a607b

SHA512
36409ab3acee76310eb4378b2ee900388a4151b54dd4742e62a09f5762650528228734075d81394c171105c3b858e104daee5d398ca0afdf12e46d4e8bd5a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9920736.exe
Filesize
220KB

MD5
a5c585fa77c51371f7b6dbfc10f8473d

SHA1
204f03b0a2850e86570b2029783ac69b3518c439

SHA256
56d360f9cba5a79d7ed0d11c298107f62275cadd569a470d078e4a92ea9306d3

SHA512
19a95fa991017e6787f023306d347bc99b4ddaed57a47a2c863989eb9b8f9e74e9d5db45c69e863cb895d8d95fc34ac633b8cb79e73aaa7b023be5e1f3fd6021

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9920736.exe
Filesize
220KB

MD5
a5c585fa77c51371f7b6dbfc10f8473d

SHA1
204f03b0a2850e86570b2029783ac69b3518c439

SHA256
56d360f9cba5a79d7ed0d11c298107f62275cadd569a470d078e4a92ea9306d3

SHA512
19a95fa991017e6787f023306d347bc99b4ddaed57a47a2c863989eb9b8f9e74e9d5db45c69e863cb895d8d95fc34ac633b8cb79e73aaa7b023be5e1f3fd6021

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3745608.exe
Filesize
14KB

MD5
cf00d02aceeb4224969efc47fe25c140

SHA1
dfabd48292f691f2784e682cea4178d408c525e6

SHA256
592a3bcb0985f4b4d4a3e77a2f2aa52818c1f88c529c74aac70b0d8af1daf011

SHA512
676cc3aeb9c9683c4f243b04ee86894e9f74b526212331f30f7c15595b16a238ca27144e84161d904964ded6f7fbd88a109b7ad35727b0b2f670f8f30847ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3745608.exe
Filesize
14KB

MD5
cf00d02aceeb4224969efc47fe25c140

SHA1
dfabd48292f691f2784e682cea4178d408c525e6

SHA256
592a3bcb0985f4b4d4a3e77a2f2aa52818c1f88c529c74aac70b0d8af1daf011

SHA512
676cc3aeb9c9683c4f243b04ee86894e9f74b526212331f30f7c15595b16a238ca27144e84161d904964ded6f7fbd88a109b7ad35727b0b2f670f8f30847ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8965370.exe
Filesize
147KB

MD5
58d8ac82d91e9e50aa3779eb663ae86b

SHA1
33488fcd51f18e069a6f106451e10b3dd284ddd8

SHA256
8c0d0455255403651e9544250f71158d0102af6de3230da435460147a90e9c1e

SHA512
7764e643265faa8b12fc62827ea4ce38bbe643e5dbfd8e6d39a3508465aebf778c7c8da0be190af0183c350ed8819b91663bc057cfa30a25cd85228d8d4506ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8965370.exe
Filesize
147KB

MD5
58d8ac82d91e9e50aa3779eb663ae86b

SHA1
33488fcd51f18e069a6f106451e10b3dd284ddd8

SHA256
8c0d0455255403651e9544250f71158d0102af6de3230da435460147a90e9c1e

SHA512
7764e643265faa8b12fc62827ea4ce38bbe643e5dbfd8e6d39a3508465aebf778c7c8da0be190af0183c350ed8819b91663bc057cfa30a25cd85228d8d4506ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
02f495c7083820a753bb962402703bc2

SHA1
e4166ec643667fefb24b5039c1d7d65e9ff2dd8a

SHA256
25447616ec11b93ec32791ebc5729ec36593995451c8470f997c7d25174ca3a2

SHA512
cc8ee1c197955111938a29beaf43d01565d2d897fcb1eb13835a1b3b6342fba386252c9b87163483dba7a707aaf7fb49e36ed01faa91e6d11430884645b31323

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1260-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1260-212-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2484-182-0x000000000BF70000-0x000000000C514000-memory.dmp

Filesize
5.6MB

Download
memory/2484-188-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2484-187-0x000000000CDF0000-0x000000000D31C000-memory.dmp

Filesize
5.2MB

Download
memory/2484-186-0x000000000C6F0000-0x000000000C8B2000-memory.dmp

Filesize
1.8MB

Download
memory/2484-184-0x000000000BEC0000-0x000000000BF10000-memory.dmp

Filesize
320KB

Download
memory/2484-183-0x000000000B290000-0x000000000B2F6000-memory.dmp

Filesize
408KB

Download
memory/2484-181-0x000000000B920000-0x000000000B9B2000-memory.dmp

Filesize
584KB

Download
memory/2484-180-0x000000000B1A0000-0x000000000B216000-memory.dmp

Filesize
472KB

Download
memory/2484-179-0x000000000AD90000-0x000000000ADCC000-memory.dmp

Filesize
240KB

Download
memory/2484-178-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2484-177-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/2484-176-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

Filesize
1.0MB

Download
memory/2484-175-0x000000000B300000-0x000000000B918000-memory.dmp

Filesize
6.1MB

Download
memory/2484-174-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/3452-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3464-161-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download