Malware Analysis Report

2025-08-06 02:58

Sample ID 240112-xfn2ysdefp
Target 5738d596be68071de7786712b5410024
SHA256 03469423c7c63f0144fc8e3135db3efd65f0a15bbc80c374236792f820633310
Tags
redline sectoprat @janhidf infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03469423c7c63f0144fc8e3135db3efd65f0a15bbc80c374236792f820633310

Threat Level: Known bad

The file 5738d596be68071de7786712b5410024 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @janhidf infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-12 18:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 18:47

Reported

2024-01-12 18:50

Platform

win7-20231215-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 2496 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2248 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2248 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2248 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 2248 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2248 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2248 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2248 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
PID 2248 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
PID 2248 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
PID 2248 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe

"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_10.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "janhidf.exe"

C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe

"janhidf.exe"

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_4.zip -oextracted

Network

Country Destination Domain Proto
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp

Files

C:\Users\Admin\AppData\Local\Temp\ready\main.bat

MD5 3afb4af06ef85bcec37d3493910949b7
SHA1 8dece16a9f45866453ee6af0f1cabaaef5b11448
SHA256 c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f
SHA512 832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180

C:\Users\Admin\AppData\Local\Temp\ready\file.bin

MD5 80ee31171fbd4fa75c6ef69c74c086a5
SHA1 95a88efc5b00b0d0a772a2350543f758a3ada61f
SHA256 571438548221628d90c3847d21c4bb32172a90aa204bebbfaa08e6e551679675
SHA512 5bf5b8bd01a753ff2fb53e249ac9aae53958711f3c0d8abf92d38ca896fa7029a12f41afb6c736c31690db6a007b772aeefeec7554177567b45ec4aa8330af9c

\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 689c2cc5525bd008b965cd9b901603aa
SHA1 0e402d9d5a0b7e756add4e69bd65a2bc555e9530
SHA256 11e76f3f041f18b96785856c53c2517b7f2a3e07f9106f3ce0d56056493fac3f
SHA512 4411c1db84d01818fe3fbd22f0e9e41a28896986f443d78dbd574c5a4d4e9b70822a30d6ba79b93f4d7a3c2f8a8c35d15ba02ae4fe699191595d3131a5148412

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 d70338725e346f223b73e603284677a1
SHA1 3f797a357008ec344aeb7db7090a9f9529aae1da
SHA256 4ea148b631c2401cb7ec9b2e42cbd3d4a77fa018bec19c2b35405bcf6ad298fe
SHA512 b888b10321738bdd97d13c1372ae649c0953f9eca26959e3b7a77c7995ee41b524e05d96de7618d886ba82fd31495e2f911869d91bace3e6c5597548b24ef8eb

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 10d803c03b2ec478a532deb9133f8166
SHA1 f199af33624481fe84f4924cac8fae2144159af1
SHA256 5a22ca08f6b141530f98bf8a9dbb2108e626eee4f82484b1a80513ee954a4f14
SHA512 33ce6066b93fadd399b8f83389d1b6edc99053c91d8522185e0768547f7a5622ecc317296d2ec06acb59db17350ccb43d6949eab633da4a92e4c65297313f81b

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_10.zip

MD5 752679ebac1f52b7228a8d3f933e240c
SHA1 52c04db5184f3be4e207ea7f429aad1b14b27827
SHA256 76f2b5cb35b847436d99988b77eef7f1ad3af73bddbc39aba439e1970724a495
SHA512 57589053bfa11a90a43ac894881d65b45f8af3fbf870e804ca2fbf96557a16cd9ece0399809888fc000ed2dd431cba87ac6d4da8889fef6930d9086c794d32c8

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_9.zip

MD5 7be328380791baf2e2427349b5ac2b08
SHA1 1b10efbfeca8ba85dd4af53b1066ee338bba9120
SHA256 14a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95
SHA512 1bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 5f767bd3ffdbef363b72a13006391f50
SHA1 19dbdc2a5092f6581a7a531df5717752c736bab2
SHA256 d4e39627e447016054ae28f93f70ae3734415bea00759d63240432f7f82847b8
SHA512 3dfb04b17a7d97aa242629d9b122181f3288d92fe7023a8906d854ee2ab7aab27a8e16a7795c59403ec0a6ecbc9868ca659a246e6f60328825895d1fbc9ce8e5

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 6291e81da558e318ab93360d360aacf5
SHA1 8a94438b78e4403327d19cce4d3549052511c86d
SHA256 967ea301491c296910c15ad9a256af4243261cc0608fe67bb27039a1140311b3
SHA512 3ecc459eeeabd46742929ad25a7d5b9973f02ea70fc47a7cc2926dbf90407bee18bfcb7605394cb1a3e99b7da478d439b42d4177941d02553466c436b5fa9f79

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 5818fc4dd99c5a4e588d261220db82b7
SHA1 0870f5ce420f76ed0e66396d159c6b074e0ea21e
SHA256 631d4f6bb1d59821d0a8a9e6c7089c1fd46d44ffc0042eebc144668bef86a417
SHA512 a041d92b77c55e1d0381f8451cb543f1b1f80afcfd14429c2b7b82690b50c63420cdf5567ea8e737507fa42a00ab1f2973d70d7d1469e6bab5b61b3f00dfa3bd

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 d6223015ded76e77040965ed6491a509
SHA1 fc1cbb649313f6eaa929193deebb40edd8671c63
SHA256 a17e4430226d6fc1fca49caf4f74adfa3ba54ce6ec88fe8ce27acf2ec9e8915e
SHA512 17e4341d16accb95bfa565cd342da4b6f311d4152f3afd450e0f2c6065ac2953baa831ab1ecf1944df6e16c2073252b5cb6fd53f2e806390fa53c53d320ae433

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip

MD5 110d098300a79bf77df3e1f9dc000854
SHA1 7fc902980a6ad5c49d2a1592b17aa94d6cd63bc6
SHA256 3b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3
SHA512 7e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 07c85cf88c73ddf572aa9d11afb23d96
SHA1 e116ac67460c0faea4095016545e9e73f7b45f1a
SHA256 b316e1f050dd514864a3d937aff41c80a2a3c5ab527d692088154186d9ce4edd
SHA512 58af7369361f2a5dda1c3af6ff53b6e0ead1f7ec7f02b85434ae2637892bf7e1599c36f36d12c821f93491dd42b6ece4c81180919033c3efb146e61a52823237

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip

MD5 d9f067d9b53e9dac1d72d801b5348c12
SHA1 ccdfdf4205d670f422facdfc772405ae11096000
SHA256 e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab
SHA512 950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_8.zip

MD5 f268400b4f4630f70e6220f9f73ca770
SHA1 f7c0717bb47ef3d3f075d7fbe62ae9146cccd561
SHA256 5216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4
SHA512 a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 d5a4f7252db87294f50c40648900fa5f
SHA1 12a5cd05f3a4f0fab6ce4f5a38f495b7e6c6d465
SHA256 15b7220662df6f13bdd8dd91b805b7a52da043a797842d57cc700aa5785676ab
SHA512 bca9b2c16544d89df6ac412c2854bf569ae8a088c402065060bd60974ebaafb83c1370855c94354bd4f8c6a176989e48c459bab6edbb5027799f59e1c836b0ab

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 92dff693608c7b6b751950bef63eff73
SHA1 988841ec4d99443a4f1bde81b6a0691d87426ae1
SHA256 d17cfab43ede359fd611854048a77080d9083cd78c27ad5b6883333b7333689e
SHA512 af1408e76b5e2e4d0f38b149155b4338aa73976d46b4455748ac1fd87bff65bb3b81747a454fe2caed9c655692b9203d29374e9742e3c60f9eb43d4cc4df923d

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_3.zip

MD5 50c959de88daba22ae8ce3d253dd13d7
SHA1 2499ec1a7a172282c79702a1387aa9b5824cb8df
SHA256 15d67b78a9641a6d59f77d1a81921fc376ccfe52f60d67dd3e56005b3f621914
SHA512 461d3f50bd4885e6d144a2972d012cc33ffae439ce2899a4422c17f601eea49c86cc97927933ef6f50f8329fa5f9b58748ac4e4809167460c9bc03bc5911b6ce

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_2.zip

MD5 e5bb59fdbd11b8fef49f264fd5bd3c6e
SHA1 e4beff350bbc47c546a0be7aea44619047487241
SHA256 4217b0a7ec80903416e41e0f7bdefbf83c057ebd37578b495021e04b23e96bc3
SHA512 b549cf1d0ac48233a89abf96513d2ce3556a8cc1c59267b26fd4afb7f51613b3a480a974271dc26cdca8a15920635d3044a7de72839447dc255dedbfbef4561b

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 8f1a39012a7db9ef468084fea1a97a73
SHA1 31363a902f18db82f9cb165d6713dd5158acfc77
SHA256 4c679901c55b6e674e128c96bca3916e97fb7e7c4c206caedbb8d4d5799bfe95
SHA512 4da560710ad4437d1c9285ed096e69ebbc4d0da6a001bfd6aa92ee7333a9b9200bc8c442f1c117e16176b54f3df68b68d7c800d553b55a002640672e84359f03

C:\Users\Admin\AppData\Local\Temp\ready\extracted\ANTIAV~1.DAT

MD5 0c896387b0765d8ea6528edd6a489c8a
SHA1 e1c42a6c1dd3f367db45d97896e67d79e855e8a1
SHA256 16420c770b7bd9bce02a13cdccc675000747e1a850f8e51dcde1c2f62e861e08
SHA512 d1ef26df7cb94c571d23bbb55e5cd3302cceb46edc1533115a2aa5ed2ae02d6b3bd69fda46ebaccc508d30b35629fce79a3f104bbec713709cf28cb6663a80fc

C:\Users\Admin\AppData\Local\Temp\ready\extracted\janhidf.exe

MD5 a42608e928cfd28602e252d4feb52352
SHA1 243d378906e9a4c355c3091ccf2763e0dfdbe33b
SHA256 10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc
SHA512 ce6a597bd3caee4f141d12c987b41d4041adee78437a8c1803a84c24968a6f35eb3cd3779270479c836e25f19770981f74bfc3ed7509aee44c7a4ef70e2d667d

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_1.zip

MD5 9f4f7b66d6cd9adbff1492ec77be9126
SHA1 13f8d7df286a9c89e42708caf9aaf59c0edbab98
SHA256 4ef2a3cbb5bd9b054c59c316bb294cbc3eb53a7996a85bb4b69683c98edbabc2
SHA512 0eac85d3976b46ea59ea1d5469d9b35680a3c1cbac0f0e72c245b64db574befd5a045b3506b247ac4eaee634f4466ed33728d781907bd64b2b31b7b68c13c944

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 6d806f416ddad629f99a51e86179e4ec
SHA1 d3fccd0022d31fb1be48c243a774d577f87469fe
SHA256 5cf11df592da7f035b4839a56f644eb5c07e2488635208f9333a3d5cec036523
SHA512 2ff397098879cabcc462315fa9676e494a24bbc576586e2674ced4ef6592f6340758c6ebc3a5718cd43fce96392eb4ae7074bead8c435d01678f2d166cc067df

\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 4416cb5f95548fb06371ab3df79238fb
SHA1 796963cae899260aab2b8e6f93f5c2d039dff2cc
SHA256 bfd6d0eee7bc984f20459d538efa183321d790627adcb0ae3fcf3b36283dd172
SHA512 524ed177f5ec0388482a485595c2c51f7b8229c1694a1420e6543d3883a3abfc69b4371126f775e0c8b20e08257bdef12aa4d0c4d15e64330673cd8e53d40a5d

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_4.zip

MD5 dd12a31f83517dd645ef8974616d2c30
SHA1 02126fa349cb10b600e430ad9ad6b75ca365304c
SHA256 fa94fd89a5c7ecceeca8a8c9550acd00ffa11f2d450d4e34de1e09d21c96ab65
SHA512 fc47aaed6155817171b58a0e4663f3fd338732fb4d5cb3af60b23e196e48444726f3ecd248f0e7015c831b62dfbe6daf9dfa3877561715261b2b3499939b93af

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 c5a7139baa557af5030a20d2664f0bb8
SHA1 4e485ba135a06c97b580bd8acbf72510ac5b23d2
SHA256 621edef2fcb601b6572bc6f5b6f1c5b660d216c3748ec42d7b43815b2c0445a8
SHA512 91af4ebe9f55c4469b8455215a8191e9747ee958417d9b6af033ff10b2a33c43c5a47a406dc2f52edc7000cb8eb733ef9901e2a5869d75f59ed1903c8a2148ee

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip

MD5 285d432d435cd6fb30a14b26d785ae5c
SHA1 1bba0e1cd964177543561233df0117f210184610
SHA256 82123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f
SHA512 f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6

\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 71c52bef0ff7df8e85832ddef610d016
SHA1 03891360975cb14efdedb09882b1ed36e15e07dd
SHA256 d01a0ee5178283d7f18fb4a9e4826e12eda8160b4f6f5adf5651813837300b29
SHA512 69d212913e745ef3445878b8faf87ef233d3451f454c40beee985dba0c52535a9fecef095323b99b06774343774900423bc4dc393bd8dd6e99bb08d4062d4041

memory/1016-99-0x0000000001230000-0x000000000124E000-memory.dmp

memory/1016-100-0x0000000073E70000-0x000000007455E000-memory.dmp

memory/1016-101-0x0000000001000000-0x0000000001040000-memory.dmp

memory/1016-102-0x0000000073E70000-0x000000007455E000-memory.dmp

memory/1016-103-0x0000000001000000-0x0000000001040000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 18:47

Reported

2024-01-12 18:50

Platform

win10v2004-20231222-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1428 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1428 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
PID 1428 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1428 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1428 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
PID 1428 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
PID 1428 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe

"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe

"janhidf.exe"

C:\Windows\system32\attrib.exe

attrib +H "janhidf.exe"

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

7z.exe e extracted/file_10.zip -oextracted

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
NL 45.14.12.90:52072 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
NL 45.14.12.90:52072 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
NL 45.14.12.90:52072 tcp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 45.14.12.90:52072 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 45.14.12.90:52072 tcp
NL 45.14.12.90:52072 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ready\main.bat

MD5 3afb4af06ef85bcec37d3493910949b7
SHA1 8dece16a9f45866453ee6af0f1cabaaef5b11448
SHA256 c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f
SHA512 832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180

C:\Users\Admin\AppData\Local\Temp\ready\file.bin

MD5 4c8c55cced3cb71d93234a2dd5bfb21a
SHA1 d439bc492d1e0b95923eec971ca4af617a7e0f9c
SHA256 28dc476829c3c92271d67791becd6e7623e7b15ef2f44d0602c9b1435dc67500
SHA512 cb6114635dc4f0a33a75ef8b9cc5e9fe4a1495b1e44ddab8ed08ec42922cb410fe65a3942055375de12ff2427c275a02134f7e19fb844561daa1b86f6371fe5e

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

MD5 f1ceb742b0adaa20196016a3a94d454b
SHA1 4482fa8c46273bfdec7b28f2154ea03d07b611ca
SHA256 fbcb24ed51dc5cdecff1a7b883f401907f526a0331d5c966f50112ffe2c4bc01
SHA512 f1754053fdd5eaa11053d66c812d825bf5273bf93f9a31927bf21c3b6cf29e880c4617602fb0633c57a3106eecc60bff89e9502567c2893ba409387a6216999d

memory/5040-83-0x00000000008E0000-0x00000000008FE000-memory.dmp

memory/5040-84-0x0000000073A90000-0x0000000074240000-memory.dmp

memory/5040-85-0x0000000005920000-0x0000000005EC4000-memory.dmp

memory/5040-87-0x00000000054A0000-0x0000000005532000-memory.dmp

memory/5040-88-0x0000000005450000-0x0000000005462000-memory.dmp

memory/5040-89-0x0000000005580000-0x00000000055BC000-memory.dmp

memory/5040-86-0x00000000064F0000-0x0000000006B08000-memory.dmp

memory/5040-91-0x0000000006260000-0x00000000062AC000-memory.dmp

memory/5040-90-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/5040-92-0x00000000063D0000-0x00000000064DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip

MD5 285d432d435cd6fb30a14b26d785ae5c
SHA1 1bba0e1cd964177543561233df0117f210184610
SHA256 82123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f
SHA512 f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6

C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip

MD5 110d098300a79bf77df3e1f9dc000854
SHA1 7fc902980a6ad5c49d2a1592b17aa94d6cd63bc6
SHA256 3b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3
SHA512 7e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip

MD5 d9f067d9b53e9dac1d72d801b5348c12
SHA1 ccdfdf4205d670f422facdfc772405ae11096000
SHA256 e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab
SHA512 950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_8.zip

MD5 f268400b4f4630f70e6220f9f73ca770
SHA1 f7c0717bb47ef3d3f075d7fbe62ae9146cccd561
SHA256 5216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4
SHA512 a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_9.zip

MD5 7be328380791baf2e2427349b5ac2b08
SHA1 1b10efbfeca8ba85dd4af53b1066ee338bba9120
SHA256 14a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95
SHA512 1bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c

C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_10.zip

MD5 5bb135d42aac5b8fea4c41e4f0e682fb
SHA1 7f462309a386c1f2b496f9f7b972458dd513af9f
SHA256 7cf3d534397c1618d5984387ea3d319744a1c9fc450d01003f5953355fb9128b
SHA512 4026241c9f003c9a96286b235d3314fe2e0212d914f255242dadc0e454a71adaed6f67fc8a4b49c7fda285a5bb9ec1ae703723a0c1942906b0060d299b1e4df8

memory/5040-93-0x0000000073A90000-0x0000000074240000-memory.dmp

memory/5040-94-0x00000000056C0000-0x00000000056D0000-memory.dmp