redline | fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe
Size

1.6MB
MD5

6df968be48546b97b30fd0f4b9c9feac
SHA1

f3adbf0dfb7d260cd4ae7cfcef86ba0817295373
SHA256

fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632
SHA512

fa9641f8166c9b784d58f69d9809f99b30b12ae3c9f21d7bbf626b4342524b7b4b2598c89fe896899e71f3021ca9bb12aa48dc069443ad3ca9a6718548082a16
SSDEEP

49152:XZDEgxXUBtyW01tnfsDANA4HKKAfB++g6f:JIg1ztnfsMa4qJJ++g

Score

10^/10

redline gena most evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3616-4537-0x0000000005C40000-0x0000000006258000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exeb05309065.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b05309065.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a71732576.exec21758475.exeoneetx.exed77362047.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	a71732576.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	c21758475.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	d77362047.exe

Executes dropped EXE 14 IoCs

Processes:

Ut465462.exetz104005.exefM234155.exeYj869858.exea71732576.exe1.exeb05309065.exec21758475.exeoneetx.exed77362047.exe1.exef62428085.exeoneetx.exeoneetx.exe

pid	process
4648	Ut465462.exe
1584	tz104005.exe
4056	fM234155.exe
3708	Yj869858.exe
3752	a71732576.exe
232	1.exe
956	b05309065.exe
4496	c21758475.exe
4168	oneetx.exe
2460	d77362047.exe
3616	1.exe
1776	f62428085.exe
316	oneetx.exe
1840	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exeb05309065.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b05309065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b05309065.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fM234155.exeYj869858.exefc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exetz104005.exeUt465462.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fM234155.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Yj869858.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tz104005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ut465462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tz104005.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fM234155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Yj869858.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Ut465462.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3680 956 WerFault.exe b05309065.exe
3336 2460 WerFault.exe d77362047.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4440 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1.exeb05309065.exe

pid process

232 1.exe
232 1.exe
956 b05309065.exe
956 b05309065.exe

pid	pid_target	process	target process
3680	956	WerFault.exe	b05309065.exe
3336	2460	WerFault.exe	d77362047.exe

pid	process
4440	schtasks.exe

pid	process
232	1.exe
232	1.exe
956	b05309065.exe
956	b05309065.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a71732576.exeb05309065.exe1.exed77362047.exe

description	pid	process
Token: SeDebugPrivilege	3752	a71732576.exe
Token: SeDebugPrivilege	956	b05309065.exe
Token: SeDebugPrivilege	232	1.exe
Token: SeDebugPrivilege	2460	d77362047.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c21758475.exe

pid process

4496 c21758475.exe

pid	process
4496	c21758475.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exeUt465462.exetz104005.exefM234155.exeYj869858.exea71732576.exec21758475.exeoneetx.execmd.exed77362047.exe

description	pid	process	target process
PID 2768 wrote to memory of 4648	2768	fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe	Ut465462.exe
PID 2768 wrote to memory of 4648	2768	fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe	Ut465462.exe
PID 2768 wrote to memory of 4648	2768	fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe	Ut465462.exe
PID 4648 wrote to memory of 1584	4648	Ut465462.exe	tz104005.exe
PID 4648 wrote to memory of 1584	4648	Ut465462.exe	tz104005.exe
PID 4648 wrote to memory of 1584	4648	Ut465462.exe	tz104005.exe
PID 1584 wrote to memory of 4056	1584	tz104005.exe	fM234155.exe
PID 1584 wrote to memory of 4056	1584	tz104005.exe	fM234155.exe
PID 1584 wrote to memory of 4056	1584	tz104005.exe	fM234155.exe
PID 4056 wrote to memory of 3708	4056	fM234155.exe	Yj869858.exe
PID 4056 wrote to memory of 3708	4056	fM234155.exe	Yj869858.exe
PID 4056 wrote to memory of 3708	4056	fM234155.exe	Yj869858.exe
PID 3708 wrote to memory of 3752	3708	Yj869858.exe	a71732576.exe
PID 3708 wrote to memory of 3752	3708	Yj869858.exe	a71732576.exe
PID 3708 wrote to memory of 3752	3708	Yj869858.exe	a71732576.exe
PID 3752 wrote to memory of 232	3752	a71732576.exe	1.exe
PID 3752 wrote to memory of 232	3752	a71732576.exe	1.exe
PID 3708 wrote to memory of 956	3708	Yj869858.exe	b05309065.exe
PID 3708 wrote to memory of 956	3708	Yj869858.exe	b05309065.exe
PID 3708 wrote to memory of 956	3708	Yj869858.exe	b05309065.exe
PID 4056 wrote to memory of 4496	4056	fM234155.exe	c21758475.exe
PID 4056 wrote to memory of 4496	4056	fM234155.exe	c21758475.exe
PID 4056 wrote to memory of 4496	4056	fM234155.exe	c21758475.exe
PID 4496 wrote to memory of 4168	4496	c21758475.exe	oneetx.exe
PID 4496 wrote to memory of 4168	4496	c21758475.exe	oneetx.exe
PID 4496 wrote to memory of 4168	4496	c21758475.exe	oneetx.exe
PID 1584 wrote to memory of 2460	1584	tz104005.exe	d77362047.exe
PID 1584 wrote to memory of 2460	1584	tz104005.exe	d77362047.exe
PID 1584 wrote to memory of 2460	1584	tz104005.exe	d77362047.exe
PID 4168 wrote to memory of 4440	4168	oneetx.exe	schtasks.exe
PID 4168 wrote to memory of 4440	4168	oneetx.exe	schtasks.exe
PID 4168 wrote to memory of 4440	4168	oneetx.exe	schtasks.exe
PID 4168 wrote to memory of 2072	4168	oneetx.exe	cmd.exe
PID 4168 wrote to memory of 2072	4168	oneetx.exe	cmd.exe
PID 4168 wrote to memory of 2072	4168	oneetx.exe	cmd.exe
PID 2072 wrote to memory of 5060	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 5060	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 5060	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 5064	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 5064	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 5064	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 4452	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 4452	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 4452	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 2116	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2116	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2116	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 4148	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 4148	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 4148	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 2088	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 2088	2072	cmd.exe	cacls.exe
PID 2072 wrote to memory of 2088	2072	cmd.exe	cacls.exe
PID 2460 wrote to memory of 3616	2460	d77362047.exe	1.exe
PID 2460 wrote to memory of 3616	2460	d77362047.exe	1.exe
PID 2460 wrote to memory of 3616	2460	d77362047.exe	1.exe
PID 4648 wrote to memory of 1776	4648	Ut465462.exe	f62428085.exe
PID 4648 wrote to memory of 1776	4648	Ut465462.exe	f62428085.exe
PID 4648 wrote to memory of 1776	4648	Ut465462.exe	f62428085.exe

C:\Users\Admin\AppData\Local\Temp\fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe
"C:\Users\Admin\AppData\Local\Temp\fc06e2fcbbf72caf62cca3fb69073d32fcf4ee3b2d21e1c84423cf0f4aff1632.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut465462.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut465462.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz104005.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz104005.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM234155.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM234155.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yj869858.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yj869858.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71732576.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71732576.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b05309065.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b05309065.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1084
7⤵
- Program crash
PID:3680

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c21758475.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c21758475.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
7⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:5060

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
8⤵
PID:5064

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
8⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
8⤵
PID:4148

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
8⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d77362047.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d77362047.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
5⤵
- Executes dropped EXE
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1384
5⤵
- Program crash
PID:3336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f62428085.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f62428085.exe
3⤵
- Executes dropped EXE
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 956 -ip 956
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2460 -ip 2460
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut465462.exe
Filesize
1.3MB

MD5
d94c00544de6b6aaa5c99d4e3c2d0014

SHA1
2dd8911830f9f3514c4e9da51ada954eb02904d6

SHA256
a228e048fd52019bc1806fcf434217d249108ee63cc7357d82b68e1221a80d60

SHA512
27369fa6acd0d23b6bcca0ebb56fceffb057e190902f54ae7d635a00fa495579e6c2f328116ffc4dc1c3aa1cc56ddbdf1133226f45ad6e8c9b92fa313c83b06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut465462.exe
Filesize
1.3MB

MD5
d94c00544de6b6aaa5c99d4e3c2d0014

SHA1
2dd8911830f9f3514c4e9da51ada954eb02904d6

SHA256
a228e048fd52019bc1806fcf434217d249108ee63cc7357d82b68e1221a80d60

SHA512
27369fa6acd0d23b6bcca0ebb56fceffb057e190902f54ae7d635a00fa495579e6c2f328116ffc4dc1c3aa1cc56ddbdf1133226f45ad6e8c9b92fa313c83b06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f62428085.exe
Filesize
169KB

MD5
1dd03f424958ca2f63c4514fe5e014ee

SHA1
60b9dd43349231071771c444988f592c2d2aeca9

SHA256
e348e98dd34bf82504bea61ec8464f0c6a3a46d5c4d928042b1ee928d9fe5caa

SHA512
974169aba41e5b1af63cda01f3bc4775732dbf22df778417d6f6e57b7635999d1946920e438f2b0f9b282125e7218f6a765e0aaa9aa178baa4195d608ef5c5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f62428085.exe
Filesize
169KB

MD5
1dd03f424958ca2f63c4514fe5e014ee

SHA1
60b9dd43349231071771c444988f592c2d2aeca9

SHA256
e348e98dd34bf82504bea61ec8464f0c6a3a46d5c4d928042b1ee928d9fe5caa

SHA512
974169aba41e5b1af63cda01f3bc4775732dbf22df778417d6f6e57b7635999d1946920e438f2b0f9b282125e7218f6a765e0aaa9aa178baa4195d608ef5c5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz104005.exe
Filesize
1.2MB

MD5
a546a82228c2037c3ce2da1c22a3526b

SHA1
46a67ead2a9741a3d026ab766f884f1684de8a55

SHA256
851ffbfe2f680549cb154e81094e53f160952277e997b4f35ed9d9913985dbee

SHA512
a6c0e2b8c8f6fffb645e9662247fb841a537f59b81717f8ea86b8370447cafff9bf78ef7bbc7f35cfefaa0f7953c00e080efbc3fa553bc2911f4e63a8bef1bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz104005.exe
Filesize
1.2MB

MD5
a546a82228c2037c3ce2da1c22a3526b

SHA1
46a67ead2a9741a3d026ab766f884f1684de8a55

SHA256
851ffbfe2f680549cb154e81094e53f160952277e997b4f35ed9d9913985dbee

SHA512
a6c0e2b8c8f6fffb645e9662247fb841a537f59b81717f8ea86b8370447cafff9bf78ef7bbc7f35cfefaa0f7953c00e080efbc3fa553bc2911f4e63a8bef1bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d77362047.exe
Filesize
574KB

MD5
42e677c6e2f6b0d05c1b2a1dd43a079a

SHA1
b803eec8653892d4be5405e56f1338c086fe33d3

SHA256
ccb66ee058cf0d275b095c535d4a9664e2ab7e33052297379a74b735fc89d2c2

SHA512
cfb25ef1b7f01589635d50267b3b8f8843c50e14f8c6f1e784cf777094e09048a0cb69ed197b92f6de602d9e25aa86f52e41259f14012884a4fa45e477dfd679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d77362047.exe
Filesize
574KB

MD5
42e677c6e2f6b0d05c1b2a1dd43a079a

SHA1
b803eec8653892d4be5405e56f1338c086fe33d3

SHA256
ccb66ee058cf0d275b095c535d4a9664e2ab7e33052297379a74b735fc89d2c2

SHA512
cfb25ef1b7f01589635d50267b3b8f8843c50e14f8c6f1e784cf777094e09048a0cb69ed197b92f6de602d9e25aa86f52e41259f14012884a4fa45e477dfd679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM234155.exe
Filesize
726KB

MD5
1cd3ab8d2eb807cd320692a3e7884c2c

SHA1
98319d72b6ed50747b7d380633d14ec8d1e960b5

SHA256
a0765ba272bda913e2cbdb7d482ab966390578a3725b7616c99556866a5bd483

SHA512
d49a00a803c1f0776e8660a53c918430955e43bcbd3745bf45a1920dbb7524f3e86b33d7a3a0d297c5b5206cedd9e90079f82045925f597b5a405813122e700b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM234155.exe
Filesize
726KB

MD5
1cd3ab8d2eb807cd320692a3e7884c2c

SHA1
98319d72b6ed50747b7d380633d14ec8d1e960b5

SHA256
a0765ba272bda913e2cbdb7d482ab966390578a3725b7616c99556866a5bd483

SHA512
d49a00a803c1f0776e8660a53c918430955e43bcbd3745bf45a1920dbb7524f3e86b33d7a3a0d297c5b5206cedd9e90079f82045925f597b5a405813122e700b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yj869858.exe
Filesize
554KB

MD5
0fe67b8a54ed183d4a1ea2f8204c4507

SHA1
a244d925e77216454769b7e146d29768757e4ae7

SHA256
bbefdfa81d13fb31d627f39b938b422a7d0aaade9e40800a009226ed0757c5a5

SHA512
7b976fa02a90317f5afae7edd47d70c6220802cdb14c8029167211d7bccbe59167cfb701b6a8692fcdfd37f0d3f374e27c1d904c416b91acf1c52f2854bce78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yj869858.exe
Filesize
554KB

MD5
0fe67b8a54ed183d4a1ea2f8204c4507

SHA1
a244d925e77216454769b7e146d29768757e4ae7

SHA256
bbefdfa81d13fb31d627f39b938b422a7d0aaade9e40800a009226ed0757c5a5

SHA512
7b976fa02a90317f5afae7edd47d70c6220802cdb14c8029167211d7bccbe59167cfb701b6a8692fcdfd37f0d3f374e27c1d904c416b91acf1c52f2854bce78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c21758475.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c21758475.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71732576.exe
Filesize
303KB

MD5
f9855f30d8b56acc97364bf89341a0a9

SHA1
a466c79d98ff024dec8bbb1be8df1152658ddf7a

SHA256
04af28a1f5487ce4047f0d1fc3a781565e0d5cb5375c49611e340a1c2ad72ca2

SHA512
30bdb05960330bd1d145fe7024ffc511c2bf7f8d1c330b53413dabcce62eccd1d247e5c5d6fe81287461e6d1551d2c2cf5f997de60045ad5d3767b79d93df9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71732576.exe
Filesize
303KB

MD5
f9855f30d8b56acc97364bf89341a0a9

SHA1
a466c79d98ff024dec8bbb1be8df1152658ddf7a

SHA256
04af28a1f5487ce4047f0d1fc3a781565e0d5cb5375c49611e340a1c2ad72ca2

SHA512
30bdb05960330bd1d145fe7024ffc511c2bf7f8d1c330b53413dabcce62eccd1d247e5c5d6fe81287461e6d1551d2c2cf5f997de60045ad5d3767b79d93df9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b05309065.exe
Filesize
391KB

MD5
b1b64246e4e8cc5a961083726fbd9e09

SHA1
2ddaaa96273206baad72f7af78e710c67a138af3

SHA256
9d80e98e4f0427e8d7f22acb02f18c7e49fbfdbd0cebd122eda30bfce8efcd4f

SHA512
0ff13f01e48e2124dd62072973cc157df937d8af0ef4b93be87174fcdfc2e8cd24c6e45053141171648986b216840a90eaff55b47d8e4071f95687358df36589

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b05309065.exe
Filesize
391KB

MD5
b1b64246e4e8cc5a961083726fbd9e09

SHA1
2ddaaa96273206baad72f7af78e710c67a138af3

SHA256
9d80e98e4f0427e8d7f22acb02f18c7e49fbfdbd0cebd122eda30bfce8efcd4f

SHA512
0ff13f01e48e2124dd62072973cc157df937d8af0ef4b93be87174fcdfc2e8cd24c6e45053141171648986b216840a90eaff55b47d8e4071f95687358df36589

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Filesize
205KB

MD5
f8fb1323ebfeeff7f5e224b830121d6c

SHA1
07ed88ffe95202aa8ef656d26785d0cc02f0efc7

SHA256
587708cd844044801cdc381d9ecc5a7338802625e9bc2fdd8bf032fff35e1704

SHA512
3acbae1e85d8c1a9149ce3dec88c98132bb988b2abb64cd6666429070d6c7f7b5a636de98718f1c2dd7132607aca4089664ad02749d2c9d5b2f769365139366f

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/232-2313-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/956-2354-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/956-2353-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/956-2352-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/956-2348-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/956-2347-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/956-2346-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/1776-4550-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1776-4545-0x0000000000C50000-0x0000000000C80000-memory.dmp

Filesize
192KB

Download
memory/1776-4547-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/2460-2544-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2460-2545-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2460-2547-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2460-4524-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2460-2542-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/3616-4537-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/3616-4539-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/3616-4541-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/3616-4538-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/3616-4546-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3616-4536-0x0000000000C40000-0x0000000000C6E000-memory.dmp

Filesize
184KB

Download
memory/3616-4549-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3752-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-2300-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3752-235-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-233-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-231-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-229-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-225-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-227-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-223-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-221-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-219-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-217-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-215-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-213-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-211-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-209-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-207-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-205-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-203-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-201-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-199-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-197-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-195-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-193-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-192-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3752-189-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3752-188-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3752-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-169-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3752-168-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download