Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-x5ngqaha34
Target eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51
SHA256 eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51
Tags
upx xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51

Threat Level: Known bad

The file eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51 was found to be: Known bad.

Malicious Activity Summary

upx xtremerat persistence rat spyware

Detect XtremeRAT payload

Xtremerat family

Modifies WinLogon for persistence

XtremeRAT

UPX packed file

Adds policy Run key to start application

Modifies Installed Components in the registry

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 19:26

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 19:26

Reported

2022-11-23 22:04

Platform

win7-20220812-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV} C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
File created C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
File opened for modification C:\Windows\WIN 7\ C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe
PID 1784 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe

"C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 oudy.no-ip.biz udp

Files

memory/1784-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

memory/1784-55-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/2028-56-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/2028-58-0x0000000000000000-mapping.dmp

C:\Windows\WIN 7\HACKO.exe

MD5 2686afd221cf109f875b3029fab6480b
SHA1 c243ae59033985ba4d643d5d19e10002d603b0fd
SHA256 eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51
SHA512 2a1679113d97a69610ae048655260f7b85e1405213fd547b66b2d1cb15531e6e68d6b7a5778b59481fc350f846f24a6dc2a0a5cfbdda1dacbf7a3363247c4cf8

memory/1724-63-0x0000000000000000-mapping.dmp

memory/2028-65-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/1724-66-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/1784-67-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/1724-68-0x0000000000C80000-0x0000000000D8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 19:26

Reported

2022-11-23 22:04

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV} C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AK280W7F-7V7S-6384-P0F5-B8QY3351K8VV}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
File created C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A
File opened for modification C:\Windows\WIN 7\ C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe

"C:\Users\Admin\AppData\Local\Temp\eda5bc2162c2f2e8d24ca4234f728b76b55291ec31d13d57eb38d156f8206e51.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 oudy.no-ip.biz udp
N/A 178.79.208.1:80 tcp
N/A 93.184.221.240:80 tcp
N/A 40.126.32.72:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.52.64.200:443 tcp
N/A 93.184.221.240:80 tcp
N/A 87.248.202.1:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp

Files

memory/852-132-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/2684-133-0x0000000000000000-mapping.dmp

memory/2684-134-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/852-135-0x0000000000C80000-0x0000000000D8E000-memory.dmp

memory/2684-136-0x0000000000C80000-0x0000000000D8E000-memory.dmp