redline | daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe
Size

1.1MB
MD5

239f9de8a3fae44b6bfe4c31b59b05e4
SHA1

1bb7338ca10047a6cd242be59a6d27796c1816db
SHA256

daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675
SHA512

82f48c75bbe0cc79203218e76677cbcd1f459c7e9c1a6c882aab2d4dd4afc9c9ffae54bc7563c211b959cc90a8309a4bbaec95db06e37993819805a2896ae9eb
SSDEEP

24576:1y2coo1nqFNHm4ubkwE8RN+sqG/O96OMOVghuglXf6Juua:QvomnQHGC8f7W/ghuAPd

Score

10^/10

redline derek warum discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

derek

185.161.248.75:4132

Attributes

auth_value
c7030724b2b40537db5ba680b1d82ed2

Extracted

Family

redline

Botnet

warum

185.161.248.75:4132

Attributes

auth_value
0bdb2dda91dadc65f555dee088a6a2a4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

g3173628.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g3173628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g3173628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g3173628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g3173628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g3173628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	g3173628.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exeh9206486.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	h9206486.exe

Executes dropped EXE 16 IoCs

Processes:

x4316130.exex9392531.exef9051276.exeg3173628.exeh9206486.exeh9206486.exei3768336.exeoneetx.exei3768336.exeoneetx.exeoneetx.exeoneetx.exeoneetx.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
1416	x4316130.exe
1240	x9392531.exe
3440	f9051276.exe
1084	g3173628.exe
4252	h9206486.exe
3832	h9206486.exe
2660	i3768336.exe
4528	oneetx.exe
4016	i3768336.exe
1784	oneetx.exe
4204	oneetx.exe
4140	oneetx.exe
4928	oneetx.exe
4392	oneetx.exe
2372	oneetx.exe
2776	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

232 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
232	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

g3173628.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	g3173628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	g3173628.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x4316130.exex9392531.exedaf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4316130.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4316130.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9392531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9392531.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

h9206486.exei3768336.exeoneetx.exeoneetx.exeoneetx.exe

description	pid	process	target process
PID 4252 set thread context of 3832	4252	h9206486.exe	h9206486.exe
PID 2660 set thread context of 4016	2660	i3768336.exe	i3768336.exe
PID 4528 set thread context of 1784	4528	oneetx.exe	oneetx.exe
PID 4204 set thread context of 4140	4204	oneetx.exe	oneetx.exe
PID 4928 set thread context of 2776	4928	oneetx.exe	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

332 2776 WerFault.exe oneetx.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3856 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f9051276.exeg3173628.exei3768336.exe

pid process

3440 f9051276.exe
3440 f9051276.exe
1084 g3173628.exe
1084 g3173628.exe
4016 i3768336.exe
4016 i3768336.exe

pid	pid_target	process	target process
332	2776	WerFault.exe	oneetx.exe

pid	process
3856	schtasks.exe

pid	process
3440	f9051276.exe
3440	f9051276.exe
1084	g3173628.exe
1084	g3173628.exe
4016	i3768336.exe
4016	i3768336.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

f9051276.exeg3173628.exeh9206486.exei3768336.exeoneetx.exei3768336.exeoneetx.exeoneetx.exe

description	pid	process
Token: SeDebugPrivilege	3440	f9051276.exe
Token: SeDebugPrivilege	1084	g3173628.exe
Token: SeDebugPrivilege	4252	h9206486.exe
Token: SeDebugPrivilege	2660	i3768336.exe
Token: SeDebugPrivilege	4528	oneetx.exe
Token: SeDebugPrivilege	4016	i3768336.exe
Token: SeDebugPrivilege	4204	oneetx.exe
Token: SeDebugPrivilege	4928	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

h9206486.exe

pid process

3832 h9206486.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

oneetx.exe

pid process

2776 oneetx.exe

pid	process
3832	h9206486.exe

pid	process
2776	oneetx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exex4316130.exex9392531.exeh9206486.exei3768336.exeh9206486.exeoneetx.exeoneetx.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 1416	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	x4316130.exe
PID 1268 wrote to memory of 1416	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	x4316130.exe
PID 1268 wrote to memory of 1416	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	x4316130.exe
PID 1416 wrote to memory of 1240	1416	x4316130.exe	x9392531.exe
PID 1416 wrote to memory of 1240	1416	x4316130.exe	x9392531.exe
PID 1416 wrote to memory of 1240	1416	x4316130.exe	x9392531.exe
PID 1240 wrote to memory of 3440	1240	x9392531.exe	f9051276.exe
PID 1240 wrote to memory of 3440	1240	x9392531.exe	f9051276.exe
PID 1240 wrote to memory of 3440	1240	x9392531.exe	f9051276.exe
PID 1240 wrote to memory of 1084	1240	x9392531.exe	g3173628.exe
PID 1240 wrote to memory of 1084	1240	x9392531.exe	g3173628.exe
PID 1240 wrote to memory of 1084	1240	x9392531.exe	g3173628.exe
PID 1416 wrote to memory of 4252	1416	x4316130.exe	h9206486.exe
PID 1416 wrote to memory of 4252	1416	x4316130.exe	h9206486.exe
PID 1416 wrote to memory of 4252	1416	x4316130.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 4252 wrote to memory of 3832	4252	h9206486.exe	h9206486.exe
PID 1268 wrote to memory of 2660	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	i3768336.exe
PID 1268 wrote to memory of 2660	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	i3768336.exe
PID 1268 wrote to memory of 2660	1268	daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 3832 wrote to memory of 4528	3832	h9206486.exe	oneetx.exe
PID 3832 wrote to memory of 4528	3832	h9206486.exe	oneetx.exe
PID 3832 wrote to memory of 4528	3832	h9206486.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 2660 wrote to memory of 4016	2660	i3768336.exe	i3768336.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 4528 wrote to memory of 1784	4528	oneetx.exe	oneetx.exe
PID 1784 wrote to memory of 3856	1784	oneetx.exe	schtasks.exe
PID 1784 wrote to memory of 3856	1784	oneetx.exe	schtasks.exe
PID 1784 wrote to memory of 3856	1784	oneetx.exe	schtasks.exe
PID 1784 wrote to memory of 4656	1784	oneetx.exe	cmd.exe
PID 1784 wrote to memory of 4656	1784	oneetx.exe	cmd.exe
PID 1784 wrote to memory of 4656	1784	oneetx.exe	cmd.exe
PID 4656 wrote to memory of 644	4656	cmd.exe	cmd.exe
PID 4656 wrote to memory of 644	4656	cmd.exe	cmd.exe
PID 4656 wrote to memory of 644	4656	cmd.exe	cmd.exe
PID 4656 wrote to memory of 2172	4656	cmd.exe	cacls.exe
PID 4656 wrote to memory of 2172	4656	cmd.exe	cacls.exe
PID 4656 wrote to memory of 2172	4656	cmd.exe	cacls.exe
PID 4656 wrote to memory of 3268	4656	cmd.exe	cacls.exe
PID 4656 wrote to memory of 3268	4656	cmd.exe	cacls.exe
PID 4656 wrote to memory of 3268	4656	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe
"C:\Users\Admin\AppData\Local\Temp\daf60a5bcab1649d22f424e0bc41b0a4d9cbd444c42ceab6f129883d32e4a675.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4316130.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4316130.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9392531.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9392531.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9051276.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9051276.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3173628.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3173628.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
7⤵
- Creates scheduled task(s)
PID:3856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
7⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:644

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
8⤵
PID:2172

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
8⤵
PID:3268

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:N"
8⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:944

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:R" /E
8⤵
PID:744

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
7⤵
- Loads dropped DLL
PID:232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
2⤵
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 12
3⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2776 -ip 2776
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\i3768336.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
Filesize
903KB

MD5
f60efe1fdc6d86dd2c534d03f2a0d389

SHA1
c5d1774ed2181af60b49c61465b889990f4684ac

SHA256
36fa94f154cc9a84591cb0199c30bf85bf6bd70827c1c9d6ae95f810d7d901a0

SHA512
62b651429ef503861ca543cec135e45c27814553e963a7ea6cb6b96f8c842fcdd837d6f8549b7cab17ce2af2b22abd9a122ee82a42dc9d29b0f3eaa6b78e2f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
Filesize
903KB

MD5
f60efe1fdc6d86dd2c534d03f2a0d389

SHA1
c5d1774ed2181af60b49c61465b889990f4684ac

SHA256
36fa94f154cc9a84591cb0199c30bf85bf6bd70827c1c9d6ae95f810d7d901a0

SHA512
62b651429ef503861ca543cec135e45c27814553e963a7ea6cb6b96f8c842fcdd837d6f8549b7cab17ce2af2b22abd9a122ee82a42dc9d29b0f3eaa6b78e2f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3768336.exe
Filesize
903KB

MD5
f60efe1fdc6d86dd2c534d03f2a0d389

SHA1
c5d1774ed2181af60b49c61465b889990f4684ac

SHA256
36fa94f154cc9a84591cb0199c30bf85bf6bd70827c1c9d6ae95f810d7d901a0

SHA512
62b651429ef503861ca543cec135e45c27814553e963a7ea6cb6b96f8c842fcdd837d6f8549b7cab17ce2af2b22abd9a122ee82a42dc9d29b0f3eaa6b78e2f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4316130.exe
Filesize
750KB

MD5
285fcf23560c2cec34b961c9aab6e4a1

SHA1
b3ffe948bf91958da7bf490b655ca6bbd8336a15

SHA256
53f7d2f5e10bc657cfd30cd64965ec4ec5b382341f69ecffa0795ab231d2a821

SHA512
ddaa04cba811575725f09798a17128dd35dcf1914bfd4fe082bb3dad89f44c3f5d72b795ff94d6a06c39950f6f5751365dd5734bfbcd34fad99b436b7a8398c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4316130.exe
Filesize
750KB

MD5
285fcf23560c2cec34b961c9aab6e4a1

SHA1
b3ffe948bf91958da7bf490b655ca6bbd8336a15

SHA256
53f7d2f5e10bc657cfd30cd64965ec4ec5b382341f69ecffa0795ab231d2a821

SHA512
ddaa04cba811575725f09798a17128dd35dcf1914bfd4fe082bb3dad89f44c3f5d72b795ff94d6a06c39950f6f5751365dd5734bfbcd34fad99b436b7a8398c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9206486.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9392531.exe
Filesize
305KB

MD5
36716402c4678ceee93743cc66d32b1c

SHA1
96acc1f0f21c4ef117cc69b934e81231bbba94fb

SHA256
9400e4d26540bff5dd9aa3675a4c77eeb8ae02b947bfb927570f9681105487fc

SHA512
9cd4a761e6896f5dc8ea42b7401ce99d6a4afebea07a6aae3a4048189e8c7cf4fa4ac6566eb42e2d2c91d4ca6a4a39ab719d1635d7e5dba7409e3f5b3f3f2aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9392531.exe
Filesize
305KB

MD5
36716402c4678ceee93743cc66d32b1c

SHA1
96acc1f0f21c4ef117cc69b934e81231bbba94fb

SHA256
9400e4d26540bff5dd9aa3675a4c77eeb8ae02b947bfb927570f9681105487fc

SHA512
9cd4a761e6896f5dc8ea42b7401ce99d6a4afebea07a6aae3a4048189e8c7cf4fa4ac6566eb42e2d2c91d4ca6a4a39ab719d1635d7e5dba7409e3f5b3f3f2aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9051276.exe
Filesize
145KB

MD5
5418a394a39c70cab8498386f4deb3cf

SHA1
a4a6270271dbcd142b00e44161e948e0938f8349

SHA256
57f9d3aab9aff1283c102dd5a2c3dd0a2a5e156da77718807869acd38cab2231

SHA512
9e6d3a0e2d363847fd2b324109faff8164797d4afef83e6ec66de1e527717429febb685f088738ce1785c39301ce4f9df0ec22ed18dca5f3f0951f7cf1bc83d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9051276.exe
Filesize
145KB

MD5
5418a394a39c70cab8498386f4deb3cf

SHA1
a4a6270271dbcd142b00e44161e948e0938f8349

SHA256
57f9d3aab9aff1283c102dd5a2c3dd0a2a5e156da77718807869acd38cab2231

SHA512
9e6d3a0e2d363847fd2b324109faff8164797d4afef83e6ec66de1e527717429febb685f088738ce1785c39301ce4f9df0ec22ed18dca5f3f0951f7cf1bc83d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3173628.exe
Filesize
183KB

MD5
675712c02a961459cb210fbb4b523e8e

SHA1
87b0d298ca0eda5b11b2ab19b7e0b90ddf9ded44

SHA256
ba919c3b5da1d16a18ffd0ae2abe5e5b1059bd4943607d5fe7d1b6341561736f

SHA512
b806cb9a0c41824b8b89071e7495e72bd900b2f7ba706411945d5821a7784062e0f3bd8a24e68d3aff78bba58d1d220199af05cf2dc657ecbe25f476f5ba1fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3173628.exe
Filesize
183KB

MD5
675712c02a961459cb210fbb4b523e8e

SHA1
87b0d298ca0eda5b11b2ab19b7e0b90ddf9ded44

SHA256
ba919c3b5da1d16a18ffd0ae2abe5e5b1059bd4943607d5fe7d1b6341561736f

SHA512
b806cb9a0c41824b8b89071e7495e72bd900b2f7ba706411945d5821a7784062e0f3bd8a24e68d3aff78bba58d1d220199af05cf2dc657ecbe25f476f5ba1fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
Filesize
963KB

MD5
b27b2fa55a064d382724ca0dd3f50226

SHA1
c9378bfd6a7e9b7d2b101c9c96928c4695a7025c

SHA256
15fab6e1858fe01e9fa84674cf62067bad6c6ed6c6f4ab6e48054cef3813c253

SHA512
19264e6afc0505b518e04cc2aa11bd6f1e6dac328fcf29d97dd670395a35f355ec570232481d54275a3fa7f206db91d0ad8c7adbef74a4d20e34cae333c274d9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1084-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-191-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-195-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-197-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-199-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-193-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-187-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-200-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1084-201-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1084-202-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1084-189-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-185-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1084-172-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1784-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1784-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1784-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1784-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1784-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2660-219-0x0000000007C70000-0x0000000007C80000-memory.dmp

Filesize
64KB

Download
memory/2660-216-0x0000000000E90000-0x0000000000F78000-memory.dmp

Filesize
928KB

Download
memory/2776-283-0x00000000003E0000-0x00000000003E0000-memory.dmp

Download
memory/3440-162-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/3440-164-0x0000000006740000-0x00000000067B6000-memory.dmp

Filesize
472KB

Download
memory/3440-160-0x0000000006830000-0x0000000006DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3440-155-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/3440-167-0x00000000077B0000-0x0000000007CDC000-memory.dmp

Filesize
5.2MB

Download
memory/3440-161-0x0000000006280000-0x0000000006312000-memory.dmp

Filesize
584KB

Download
memory/3440-166-0x00000000070B0000-0x0000000007272000-memory.dmp

Filesize
1.8MB

Download
memory/3440-165-0x00000000067C0000-0x0000000006810000-memory.dmp

Filesize
320KB

Download
memory/3440-158-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3440-157-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/3440-159-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/3440-154-0x0000000000D40000-0x0000000000D6A000-memory.dmp

Filesize
168KB

Download
memory/3440-163-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3440-156-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3832-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-209-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-234-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3832-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4016-240-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4016-236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4140-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4204-252-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/4252-207-0x00000000003C0000-0x00000000004B8000-memory.dmp

Filesize
992KB

Download
memory/4252-208-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4528-235-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download