redline | 053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949

Analysis

max time kernel
109s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 03:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe
Size

916KB
MD5

780985af702d1e6d69e2a667387717b8
SHA1

100dbdd5553b3484179def9bd240b0f86f5aa14b
SHA256

053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949
SHA512

fcae179a1a6ce240e42689eb89e17823b9c87f2f573462225b52d8b04006d65695a44f834750db5a69a98b7ff9cf1bdb7d0f3d1daabd346e1abc0ea1024cf15e
SSDEEP

12288:PMrMy90KTNw24qr9Q+5ajh4oENiNgBJTDEcSPViLh7kw2BkiqrTB3FR71EGRIb6n:fyDC2W2MlYiy7ojPvwNiAT3EGC2YinX

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.122:19062

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5188132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5188132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5188132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5188132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5188132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5188132.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 31 IoCs

resource	yara_rule
behavioral1/memory/3196-190-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-189-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-192-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-194-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-196-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-198-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-202-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-200-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-204-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-206-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-208-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-210-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-212-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-214-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-216-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-218-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-220-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-222-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-224-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-226-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-231-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-233-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-235-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-237-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-239-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-241-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-243-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-245-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-249-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-247-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/3196-251-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	c7273539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 14 IoCs

pid	Process
3672	v4427116.exe
4304	v2034740.exe
1056	a5188132.exe
4512	b4428142.exe
2172	c7273539.exe
3924	c7273539.exe
3196	d6528790.exe
3440	oneetx.exe
1292	oneetx.exe
3288	oneetx.exe
1960	oneetx.exe
1844	oneetx.exe
4312	oneetx.exe
1988	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1812	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5188132.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4427116.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2034740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2034740.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4427116.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 3924	2172	c7273539.exe	91
PID 3440 set thread context of 1292	3440	oneetx.exe	94
PID 3288 set thread context of 1844	3288	oneetx.exe	107
PID 4312 set thread context of 1988	4312	oneetx.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	1844	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1056	a5188132.exe
1056	a5188132.exe
4512	b4428142.exe
4512	b4428142.exe
3196	d6528790.exe
3196	d6528790.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	a5188132.exe
Token: SeDebugPrivilege	4512	b4428142.exe
Token: SeDebugPrivilege	2172	c7273539.exe
Token: SeDebugPrivilege	3196	d6528790.exe
Token: SeDebugPrivilege	3440	oneetx.exe
Token: SeDebugPrivilege	3288	oneetx.exe
Token: SeDebugPrivilege	4312	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3924	c7273539.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1844	oneetx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 3672	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	85
PID 5000 wrote to memory of 3672	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	85
PID 5000 wrote to memory of 3672	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	85
PID 3672 wrote to memory of 4304	3672	v4427116.exe	86
PID 3672 wrote to memory of 4304	3672	v4427116.exe	86
PID 3672 wrote to memory of 4304	3672	v4427116.exe	86
PID 4304 wrote to memory of 1056	4304	v2034740.exe	87
PID 4304 wrote to memory of 1056	4304	v2034740.exe	87
PID 4304 wrote to memory of 4512	4304	v2034740.exe	88
PID 4304 wrote to memory of 4512	4304	v2034740.exe	88
PID 4304 wrote to memory of 4512	4304	v2034740.exe	88
PID 3672 wrote to memory of 2172	3672	v4427116.exe	90
PID 3672 wrote to memory of 2172	3672	v4427116.exe	90
PID 3672 wrote to memory of 2172	3672	v4427116.exe	90
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 2172 wrote to memory of 3924	2172	c7273539.exe	91
PID 5000 wrote to memory of 3196	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	92
PID 5000 wrote to memory of 3196	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	92
PID 5000 wrote to memory of 3196	5000	053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe	92
PID 3924 wrote to memory of 3440	3924	c7273539.exe	93
PID 3924 wrote to memory of 3440	3924	c7273539.exe	93
PID 3924 wrote to memory of 3440	3924	c7273539.exe	93
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 3440 wrote to memory of 1292	3440	oneetx.exe	94
PID 1292 wrote to memory of 3352	1292	oneetx.exe	95
PID 1292 wrote to memory of 3352	1292	oneetx.exe	95
PID 1292 wrote to memory of 3352	1292	oneetx.exe	95
PID 1292 wrote to memory of 2860	1292	oneetx.exe	97
PID 1292 wrote to memory of 2860	1292	oneetx.exe	97
PID 1292 wrote to memory of 2860	1292	oneetx.exe	97
PID 2860 wrote to memory of 5052	2860	cmd.exe	99
PID 2860 wrote to memory of 5052	2860	cmd.exe	99
PID 2860 wrote to memory of 5052	2860	cmd.exe	99
PID 2860 wrote to memory of 1720	2860	cmd.exe	100
PID 2860 wrote to memory of 1720	2860	cmd.exe	100
PID 2860 wrote to memory of 1720	2860	cmd.exe	100
PID 2860 wrote to memory of 4484	2860	cmd.exe	101
PID 2860 wrote to memory of 4484	2860	cmd.exe	101
PID 2860 wrote to memory of 4484	2860	cmd.exe	101
PID 2860 wrote to memory of 4592	2860	cmd.exe	102
PID 2860 wrote to memory of 4592	2860	cmd.exe	102
PID 2860 wrote to memory of 4592	2860	cmd.exe	102
PID 2860 wrote to memory of 3416	2860	cmd.exe	103
PID 2860 wrote to memory of 3416	2860	cmd.exe	103
PID 2860 wrote to memory of 3416	2860	cmd.exe	103
PID 2860 wrote to memory of 2540	2860	cmd.exe	104
PID 2860 wrote to memory of 2540	2860	cmd.exe	104
PID 2860 wrote to memory of 2540	2860	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe
"C:\Users\Admin\AppData\Local\Temp\053dc036721ceda10360e1a8f72a29bb7e71b0491226448842a6f858193d7949.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4427116.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4427116.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2034740.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2034740.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5188132.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5188132.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4428142.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4428142.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        8⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        8⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:1812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6528790.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6528790.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3196

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3288
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 12
    3⤵
    - Program crash
    PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1844 -ip 1844
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4312
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6528790.exe

Filesize
285KB

MD5
9d9ec72594e7b75aa44c6e0403fee263

SHA1
b0f83d490023eb5f9441df6cc9b24db0bfc57386

SHA256
09c1ea4e3feb2c47dc57a5bf1ef795ce5c3af621eca919c1c11da58b6f1f72d2

SHA512
99ddfa7bf1e8b58f8d58d2ba85b3d31de3a946f45f6d8423cee444bd276b88919b27fe302fe2afb48fcae708173942db1fd2ae45d602a230ce005cf745b9d585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6528790.exe

Filesize
285KB

MD5
9d9ec72594e7b75aa44c6e0403fee263

SHA1
b0f83d490023eb5f9441df6cc9b24db0bfc57386

SHA256
09c1ea4e3feb2c47dc57a5bf1ef795ce5c3af621eca919c1c11da58b6f1f72d2

SHA512
99ddfa7bf1e8b58f8d58d2ba85b3d31de3a946f45f6d8423cee444bd276b88919b27fe302fe2afb48fcae708173942db1fd2ae45d602a230ce005cf745b9d585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4427116.exe

Filesize
637KB

MD5
cad9ae8366af16363f2112c63031f44e

SHA1
36107a1cae667fca82bf9ba6d0c1d9557cfc157a

SHA256
ef1f008351f03165224d9b92f75bb59eefafa9daa96d96d773d45f18ba4d4d1a

SHA512
0f980a94df07384914a417861c70624f3cc68c731698d42df693302538139c1ce947d72432c4cc95c47393f98deab1cba927fdd8152f4a29e07cc705392d7e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4427116.exe

Filesize
637KB

MD5
cad9ae8366af16363f2112c63031f44e

SHA1
36107a1cae667fca82bf9ba6d0c1d9557cfc157a

SHA256
ef1f008351f03165224d9b92f75bb59eefafa9daa96d96d773d45f18ba4d4d1a

SHA512
0f980a94df07384914a417861c70624f3cc68c731698d42df693302538139c1ce947d72432c4cc95c47393f98deab1cba927fdd8152f4a29e07cc705392d7e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7273539.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2034740.exe

Filesize
192KB

MD5
5c18f698d19698810ae16ae575b9af18

SHA1
99b8ee59cbaa49b2519af681fe173b777e45aa3d

SHA256
86be361d01ff5e900295536a2f79d28d6a3a6a20268a3f8631bd1c82647669dd

SHA512
b5f1a8be88abd6ad60989a3c824d21d5e8e20472aa915edfa78d9cf9060e5b6e463c82a9d1f2550f5c69e20634690f516f2809c5eb1e1e35ee5b3b6bb87cb2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2034740.exe

Filesize
192KB

MD5
5c18f698d19698810ae16ae575b9af18

SHA1
99b8ee59cbaa49b2519af681fe173b777e45aa3d

SHA256
86be361d01ff5e900295536a2f79d28d6a3a6a20268a3f8631bd1c82647669dd

SHA512
b5f1a8be88abd6ad60989a3c824d21d5e8e20472aa915edfa78d9cf9060e5b6e463c82a9d1f2550f5c69e20634690f516f2809c5eb1e1e35ee5b3b6bb87cb2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5188132.exe

Filesize
11KB

MD5
81a0a394303b953f54329bb2da7754d8

SHA1
86b7392a69a03c71ebabad1d8f3f8af4499c5b04

SHA256
013374bf093dc3097d5ddff7a895faf3a587d7200f4f5414a0ae674d9bf845ef

SHA512
6e80bb2639fc5cf7fcc20ea9295bfc97f7e4ff2572d1c744450c36107f2eea5998fa459c2f6275857d67a4805a78567f3bf3c7d0ef6332cc7d00f0e9b3569a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5188132.exe

Filesize
11KB

MD5
81a0a394303b953f54329bb2da7754d8

SHA1
86b7392a69a03c71ebabad1d8f3f8af4499c5b04

SHA256
013374bf093dc3097d5ddff7a895faf3a587d7200f4f5414a0ae674d9bf845ef

SHA512
6e80bb2639fc5cf7fcc20ea9295bfc97f7e4ff2572d1c744450c36107f2eea5998fa459c2f6275857d67a4805a78567f3bf3c7d0ef6332cc7d00f0e9b3569a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4428142.exe

Filesize
145KB

MD5
ae3921de43cc5ad00b362a1378a1720a

SHA1
8c04a905c512e9b4837062d71d1105f2da1665e7

SHA256
9380b696596bffd699e3f06f0969a6e030d91da33687ece0a83f3e7d1f9d8bd3

SHA512
60b335b4fb548148d86fc7a4f6aed61fe5a8236c8b917034a31997bee7b6c6976040e4427e606d166d703f6107ad07aa5a947b09a0657b8b77189dbc0c25ae31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4428142.exe

Filesize
145KB

MD5
ae3921de43cc5ad00b362a1378a1720a

SHA1
8c04a905c512e9b4837062d71d1105f2da1665e7

SHA256
9380b696596bffd699e3f06f0969a6e030d91da33687ece0a83f3e7d1f9d8bd3

SHA512
60b335b4fb548148d86fc7a4f6aed61fe5a8236c8b917034a31997bee7b6c6976040e4427e606d166d703f6107ad07aa5a947b09a0657b8b77189dbc0c25ae31

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
968KB

MD5
8b764f1b0aa53e96a6db64159236f4e7

SHA1
396b9322312b24c865b8906931a35381d41f9eb5

SHA256
e32cf4af518fe58ae1e584bef9d84d3c2dcb36fb210eca25a923098f0d906991

SHA512
d8cbb1ee522582eff81596eb7e236f836d91aec2de9607a4a1259d087fad85e3f22d5e5ccf4e71f33914d43284ea1379ddd66f88a77463bbcda9926f0d64f8c8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1056-154-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/1292-1121-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-1132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1988-1161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2172-178-0x0000000007D50000-0x0000000007D60000-memory.dmp

Filesize
64KB

Download
memory/2172-177-0x0000000000EF0000-0x0000000000FE8000-memory.dmp

Filesize
992KB

Download
memory/3196-247-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-241-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-189-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-192-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-194-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-196-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-198-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-202-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-200-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-204-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-206-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-208-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-210-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-212-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-214-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-216-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-218-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-220-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-222-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-224-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-227-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-226-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-228-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-231-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-230-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-233-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-235-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-237-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-239-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-190-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-243-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-245-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-249-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-1127-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-251-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3196-1126-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-1125-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3196-1122-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3440-428-0x00000000075A0000-0x00000000075B0000-memory.dmp

Filesize
64KB

Download
memory/3924-183-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3924-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3924-188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3924-179-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3924-182-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4512-168-0x0000000006680000-0x00000000066F6000-memory.dmp

Filesize
472KB

Download
memory/4512-165-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/4512-170-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4512-169-0x0000000006700000-0x0000000006750000-memory.dmp

Filesize
320KB

Download
memory/4512-172-0x0000000007020000-0x000000000754C000-memory.dmp

Filesize
5.2MB

Download
memory/4512-167-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/4512-166-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/4512-171-0x0000000006920000-0x0000000006AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4512-164-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/4512-163-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4512-162-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/4512-161-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/4512-160-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/4512-159-0x0000000000560000-0x000000000058A000-memory.dmp

Filesize
168KB

Download