Malware Analysis Report

2025-08-05 11:56

Sample ID 240113-gj33aadbar
Target 5824addc5cace9168fb18810a557998d
SHA256 fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd
Tags
redline sectoprat @makarenaq infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd

Threat Level: Known bad

The file 5824addc5cace9168fb18810a557998d was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @makarenaq infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-13 05:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-13 05:50

Reported

2024-01-13 05:53

Platform

win7-20231215-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2740 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2740 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2740 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2740 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2740 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2740 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 2740 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 2740 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 2740 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe

"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "build.exe"""

C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

"build.exe"""

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p -oextracted

C:\Windows\system32\mode.com

mode 65,10

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

Network

Country Destination Domain Proto
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp

Files

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 0649841faf7eb6847162d24af9dd7297
SHA1 2f56cf8f757cb08357edbfd22a3462b53a244da3
SHA256 b176bfdcf7f463940b31c0dd19579bccba918da7920b651d13d2c3999f4fcdff
SHA512 79c9b1c4ec559a87994bbeff3a339d503eff1685d7be86bd4e926dd12d44c052c1a599fd908715bfcdd6d2ab56c680352eeff163be6dfa95de1128204c068e45

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 c0eff909765c495bed6356ee10099050
SHA1 d1e0fc37ec60fa394f7cbce47ee45a60f29181f6
SHA256 c9e18d58acdbf3dce411706cc8c6bb9048ee2316c662d983a16b5510212d09b6
SHA512 f138ac5f0504576ebb85f2af8f0b513d779d4da3966c9e4650abc396e02ac1beb5fd210d1d848c739dd676c50999fbc5edfd8ef38c09f4cd9626db9f02b4fdd8

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 db2d86f04a9a62b2d0bf26900a4eab88
SHA1 a401d944d9af9428ec6fef97169144a7f494174c
SHA256 c24888b93ce2b58c5937e36e152aa725b7fbb802e915135bd8464b8071374bf8
SHA512 fd519c2be1e7bd6d9c721d81ccbc8bfd74210572208913338c97df0da86e0bdccef16f32fb3467d4f6a420b3320bc41201e6a2e275b27fbd6887bcef04f30174

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

MD5 95b1e5aa02d225760ef7b74748a2f751
SHA1 94f8d027b4331548074955b647cc28eb23720d69
SHA256 b8f4038bcfad7d68fbc130297072669f36c022ffb46457b6d227ffe698980460
SHA512 304f86276bbd35a0862e60f0c02f7a22185df1221b5fc2dfd00e9c6e7936a072f670fe77364a1bba3e21cae9e67dac82cc2a5282f0590b8d1278b6c729bd6af3

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 4316979f932910bf022d3f0ca0861f83
SHA1 048e6b89b2d29f3c35df27199f60be16a4143cf6
SHA256 172bb977c6a4e62d8a96bbae650be7ca6b091f4a13631c0a74865b6ccda95099
SHA512 9c1e9bccda064cc2872cb88b5ea46be45b9b3e8909c87417239e571cb981cfcfda1521e72b6ca009b4cb1b8cb3dff7765eb6c671e96d8800b1d06c616185833e

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 88353e8a3843ec7ea0bb8ede2a66b820
SHA1 12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4
SHA256 d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be
SHA512 86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870

C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

MD5 840ce01435f45bd7cfb31949c5790443
SHA1 8ce20196db0eea2e1b04f575b8de95f1c09fc31e
SHA256 550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991
SHA512 117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1

memory/704-64-0x0000000000C90000-0x0000000000CAE000-memory.dmp

memory/704-65-0x0000000074870000-0x0000000074F5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 72bce3686805dfc913556ded79e329ab
SHA1 3e4554b4c2ab1db9e09b153c643c44a5e87565fa
SHA256 cb085d0d6f7377543b12481bb6af7d559089eddb082a57002703c96f039fbba5
SHA512 7e2e58152d7df5afab697012487f71561be844a4b7c646079b8e31dfa42cf6a420c5e5e02e7aa861afc96ad2160de7af6d75f30b9fb0d9be27ab67ae796cda7d

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe

MD5 cd44299e11918b1e8e9c0cb01f52477b
SHA1 ac7d5cf31cc8d3c5f71adc6192f8fd867dd05737
SHA256 83e8f9e4943f9289d344f3442a9dbe3564afcf7a20531ffa979e9816babe53f1
SHA512 8623cd7af5e24b1e86721e1a1c7945905b7c00b6132f52f9ea6ff4d434cd268c54277b786f9fa5a9f89c7cf4d617f0bb0c0b1b0d643a017cfe61b67193464809

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 580eab814576665d16a0faa6fff2bab6
SHA1 dca3a9c3936179181c3b5e08926d4d02a43221d7
SHA256 ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19
SHA512 4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 c59e1661cab7cce318e2fd4b15ac1a03
SHA1 138cc5fedacc18607d8b8299e273c22b0e0b0c9a
SHA256 bfd1f423cf488c0f7084743f288096cf715f6311418a71ec91aafa747534acb9
SHA512 d89bb35aa89d6de5c51f2d5f90b9f7c8e2b301118462da6f8383dbe94ccc72cd41d88b597954c82fc2439693734f7029ea6d568f2ade75038d2fdc63de7a04a7

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 03641b846c3f22860d65affd546b2aaf
SHA1 adf95544193cbdc0f35fe4e0cfab27fc33f42427
SHA256 e3ba4b3121b370afdd42018cb0c5f2e96f9a28f6e2137503a3fccb54d67b0ddc
SHA512 8a2395dabc5afe278ee6eb949acd5202dce918f46c70dfe05be439737d6163436d9c7cff5b45b79f726850982ce3b2a668a59966d1821d74b6762d677b47a015

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 af5233f6d4c806ecc112ee4b7623e4f8
SHA1 53dcfd03b40a0dc7a6491745cfbeb8db23e3113c
SHA256 c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41
SHA512 1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84

memory/704-66-0x0000000004330000-0x0000000004370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 1a1abb9d3c276d49b82533a01e5749de
SHA1 9afe72a88ef8416d4766765e849e4938db2cc347
SHA256 03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1
SHA512 7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 9510b386175232e0738df036d80e4d66
SHA1 8c00f923ec818d15fa07fab8e7c9cd8855efeb09
SHA256 539a8a9158772888b16bfdae3b87e23b8369317622b319656ffc4cea7410a659
SHA512 60264f7e76fa290103fd870ef5e6bb5a6989fa3b2e1a2f65d1906b147b58bd17c99ece80f224da88e6e0d9576fb28f3277da1fc5551a73464b4cccc4151eee52

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 2083f89979ad4cb16c504acade1e5dac
SHA1 e730d5ff874c3d7ebe7c3cb40c0a7ea48b1f5153
SHA256 0257bb90ceac230a7ccfe85ba0640d99fea52420a8a3d6535e20b1c0e95840a4
SHA512 9953d04f6a28892df6de7a1367bcbc0f683aa523cc8ba2d53d95719ebc860a99cd6049bfc5716c7e15f389db83d6d571341ddedd4a555e48a8d113902e6f0af3

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 57abc5c06eeacc722f7fe2cd83e28544
SHA1 0c00c42383b1252fa9c3d75d120119934d5b1fd5
SHA256 fffcb4af82b424440c49e2d078ab4d80d13e6ead384ec0151eca156410103e34
SHA512 3d7453effa471bbf54ec3a231582035e739243479a93d20b41017b704352e08b95adaac4b7d3c5fe986d3351de04d0d9dc16c4ce416303ee931d0999b6e47a9b

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 80c05a105fe7d8071aee41467a7e50ff
SHA1 44c9c5335862523ea4a3918c344d41f3b3ff2a60
SHA256 aed52da3975b35c0dba3e95dabfaeab807e8ae0269e5bf0c101c0408915b6e04
SHA512 952d8b2c1786dcd2e14764f74e8457187dbcbf660ef7ff2f6cc453e59792f351118d719ebe4f34126983ec996cf2f27cab093d2352785357c9d191558f296e58

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 9f92e325a79ffe793c898b1dfeb5a3f2
SHA1 5483ef9e3a1a9dee90fd9fc6fd98e8c7a4a38eb2
SHA256 260a5a8388fa1085f9d6deb7d6c354215195a50cc280a8af23701d9dbb3a0a56
SHA512 8df6f48677ca31c15891fa578a9626cf648adf1719d1430a7b63a61e99b181eab80ecbb45f5cfbae08ef1927e08d6683597e00e3cec850292f5e21c33a3c96e0

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 65b5f127151e82a1e6db03da38c7614d
SHA1 f2f6582660fefd9dd894701a56c667cb900f243b
SHA256 94f62fc658d1cc6cb993f2107b1ebe4558a3921caafef9cf868f212d8aa62503
SHA512 d2df55a3522369087fb221aaa6e4c65d0828239665cfdbbe8d5f768a9a2dd7edc036ffc0f2f7757c0b87495b0d9cce6ac0e833ea6efe7eb421abe099d548535d

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 4551328bc2245d4635af4b457bf0ee61
SHA1 21c020d83ed6591496719587f4b8efe471cd1f10
SHA256 54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522
SHA512 59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 578a21d631f7e1c30c6ef98aa4ddfe9e
SHA1 00bf9cffcce35fc3e7880979706b007722c0bcb9
SHA256 de921f104f0df636e298131280be9e08ff3dfae35b40bcd3dd06a18c3b0f1181
SHA512 a228b520e5d641713e678c4fea86c8588d39a2e65ce256d2ab0f130c9d9663cd49d4614076dedb03147126ceb8e92c722b3b56e5d12e8701e92f01c9b7e53918

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 1793d44a3f48937e86e6d255fa221e50
SHA1 5613a82da5ce3de8646076eab24006a4c5f753f6
SHA256 90dba1b7ff7ef84ea4b85d4bde926a1be0488cfa9cc3a362a6c56fd5e1b590c6
SHA512 b372f7a49743adb7c48aa05ed4febebb2219f43a4fa1bad1cbc6fbc722502e2f6dfd9a611c0108df5da9509fdb8ff127274f7715e6fadfc55e0f00db47d0a496

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 6032b52fa5dd0a8dd57eb9b26bd591e2
SHA1 b24f033c1f6422b17863c330cbc64e8c49f9b975
SHA256 1bad7fa4d19da87ea8cec7efa2298b4b21671aa078cc50d8d3354902a21d1df3
SHA512 96df90ebab377dc8e7b6f8a8aa465777d81ab6b3779b8caf825d87ef68164ceb98e5050a1e8c727c61bbdafd27d1523566448c49830fb24621e1e48c094c5ac4

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 42541fc596e0c7377a86b9197ea2c2a0
SHA1 75c5648aed8fd6a88444889aa2e97622a319a538
SHA256 48f7ffa2e4dbb103662b85954d62481d89684f3c28af501afc14c62673abeb8c
SHA512 5c16f2cf08991cc3323486bf933baad706713187e1d965c5236ad8f24038e818620ca76bf75beff046dcb292b12b8bd82f8dc7ae3be71e4ae4759f7ec9d4226e

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 b4a29bf2c9cf2190b1113cb6786acde3
SHA1 2c3a84bfc8096b2e07bab943206e2046b5fc03e6
SHA256 aecd3cbe96e36b4262ff82f8fa7b3908d418842ce7434d60fb574e4cf433efcf
SHA512 df37a74348738fe1aebc651cb191b1c75f1a5527e46183ef9f9009fb2ab2fb1df22cd87d0d7dcec8b10923da6b38128c59ebd34b2a59dbf698c46cd1157ea461

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 847d8d09a72890d8fcc0420f01f0324e
SHA1 8341ff6aa2accf2d36fddc3816f95687c848a2ca
SHA256 504bf11cc0a8c7ba3675d3d5720da0021950b250bc6fe90fc80cbcc779ecb271
SHA512 39dd5e3e4e513337d7f9cec96c4039a5591840a7144b64c0ab3758cf241aa4e2b216dacdc44664d83eb299c745a17d1d26bd66ad15df0beb470bf0bb6a689683

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 f4be2eb3955430d0f6614a60d74c3fd0
SHA1 c183e55262d97e9ed683dd6fa25d9bd7b75970bb
SHA256 ad316a8c046d8deb5775e675538dcbade24292ef9b81c83e402518cd0f26b0b0
SHA512 77c2d7dfecb9115a7b1412830819f09989f11ff05d1e894c29ea1ab78e398c4d47fd5a7c6068527831e09743445713905e10877805598632ac015aecdbce23bc

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 5798b36ca7e199fefc2c0d79ad5999d0
SHA1 31a848c69faef08bb5ac8da68268b5df9e149290
SHA256 57ecb27c9bb6568856ca0796f0708383e73183ae1a3fe1f71ae531165e349295
SHA512 a6614cc2ef2dd382df8b52ad9622b7139ff7db01671f69a1fc3e3a9b56924370a4cdc9f7b4cfc9953393ce95962ab20a01371498c2d545bb6e9176cb68811849

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 b8d0fdde29b49c27a22b6d5418505832
SHA1 6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69
SHA256 87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002
SHA512 42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0

memory/704-67-0x0000000074870000-0x0000000074F5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-13 05:50

Reported

2024-01-13 05:53

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3388 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3388 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 3388 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3388 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3388 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 3388 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
PID 3388 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe

"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

"build.exe"""

C:\Windows\system32\attrib.exe

attrib +H "build.exe"""

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
NL 45.14.49.109:21295 tcp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
NL 45.14.49.109:21295 tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 b8d0fdde29b49c27a22b6d5418505832
SHA1 6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69
SHA256 87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002
SHA512 42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 db146e678cb0230409098475c9e690dd
SHA1 e1823eb225c041963915638eac72934bfb47273b
SHA256 1fc874d05d430c4dd9561cf9616755f5a1b3ce626cb4bc1cfbbeb8cef2533e85
SHA512 06e16cc98c44065a92bbd66fc17b3ee62d9c3235e4099a10f14c3fadeeb1fc86b6f6233d5425fbe2de35fba8c75a9f864999c9c40574e7de4ebf5c03d7c02f41

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 2dcff3a04cb4c1e9cf4d11eb603485cb
SHA1 50a37bbc50f15714bc69589d1fd263d269d2be75
SHA256 9b7dd38d09d05b5c1c92b495e7ef1a10e673998cf8ae6381128e5ce5f35d786e
SHA512 137628a35593e1011c36e18b3dad4494ec8bdfc6772616534aee31cf2d214c406f3cff8c8c9d53d96dc7ae564a48b96a106c7b491707cb46551583064a9fe5f7

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 3106aead3385431dfb7b721988e170c1
SHA1 ea118631dd8b39d01436bdab216eb6e6f64cecad
SHA256 86954c3b19c12b7544524c384c009764625f5f73d93b2ddff7c1874694ec6767
SHA512 778d1b5269920211ee093b9091460d9636444d6c724f51ce9f8ab0597a8060c9fcb6868937dbd0409c178cabb192f1612a6f6c7ddbded2b2a6cff7577ad266d8

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 6fc2d66a31dbe7c220740f67b9a78446
SHA1 a0d99c03e5f7b295f3f9a16bcf4997fe32d8e5b0
SHA256 52b789686f4ebd770c5753fa8d3f6a79178189f68bcc0c77b6c94142e1756a8c
SHA512 7a9eb7301d04f1f3883892f09b1bc2a21a3d830837410cdb612da19beec970fac005cfd7a81d9cc231ae201025c60a08f4f339e5372087a65be9eae62ed82e5d

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 f2fc35f8e523bd7fea8dd5b5e35d065d
SHA1 bec86a0ad6e876603a6e510ae42fc90cfc2c9573
SHA256 a975a7e8bd95d5a716c7c1a09f7da255b81eaa8c7743fd23e32d1f7c734543d4
SHA512 71d045befb79ab1fac6b4e352088d4e7fa60ffd611e226d9ddf7e38c828f833713a78c9e7167fc23d1daa3b96605b1235fa5b8c6f013c47c9aa75c04d1abb91d

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

MD5 90a6d11c3707ba1364c5720af0df689b
SHA1 7fbcf4152aef298c70450157130a42d049289a78
SHA256 abe99cd56670d3e3f919742bd74edd9d0c67051405293190e03d74408aca1592
SHA512 51da79a50b5eb3c7c0e20b2b76659bf703c1ea64b3d126c8a0acea91ee0f42d3c564e63fea8e3d8bbfde5459e89e0f884ef51155c6b42ddba952196bf1b199c5

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 99ad3c8da0219defebec5055eb5156a6
SHA1 0acedc3c5239eccb2d370537b30cdd894696126f
SHA256 a94601caec8af183dac7e36d8ea8e81cf2f12f4f2e3b2e4ae6447ca476b6ae6e
SHA512 3ac3621afac898c4a9630a020e25b342e42c6b050b89f015290fad62928f43a98251c6ca6eb1b594c931b2c779fef5c7e7c6a2dd61b209e2c775a448142a3adf

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 436531a989f0f4f71d680c02afa93bd2
SHA1 d6c38babc51d5a7823dec7b214adf16c17e902fc
SHA256 633fadc577209823ab29d3197d0e8442f7a3a695f348652687d10b6cd45e53d4
SHA512 dff6cc2502318026d8fc1b961ec455ab0dd30d7987270b111f37d2e8868eb05cdd5894eaeae47f24cd23a894f44716d0e7d671979635372a988a7b072b9d9445

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 4551328bc2245d4635af4b457bf0ee61
SHA1 21c020d83ed6591496719587f4b8efe471cd1f10
SHA256 54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522
SHA512 59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 853fe0a01cd4a2c084b994e3de9b5d04
SHA1 859582d323692779f28da1adf4b250ef2733a408
SHA256 986d8fe9e773b9e103484618bb60d6802c7a9c9192bfc1deccb7e20e69fa265d
SHA512 9a9489894b9b62ad81029ce8765288e2ea5d0f7ac0cbdffeaab9c089f837ee1a3fcd2be56083d91db5a2db895de9c429fc162f2b0c3777c8ab4e09d95598ed94

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 907a24cca3f4ecdaafdbc44de583e991
SHA1 7abcf97404a9f7d88ca98d6c3c3d1cc551ff2c67
SHA256 80ed4237c239f81f2e672854047aefe163b0692513fd0c268d703a27f12dabc6
SHA512 948505d3f5867f77d2602fb9fd5d4adc2e5dabd02c8315c9b9bfbd623056b9f7918c740134b89714a015efafe403a902aed7af423e07fdc519965662f43c084a

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 2fc87fc7c838b7a1b298248f949af3b4
SHA1 8f525685a31195811545b40b2bb65b58db5a144c
SHA256 5ab69ed126b15337f376dc1a04ab0aa1f47f7d1b52dd0e265b01f917a9b97fa3
SHA512 b6a1a2abb500abfff3b18c8beca193e22fb61c967f2a1be3e8a3ea3b015ea886e3ec8a7fd4f874a106aa8da34f551b75e70af12d1355edf508b389f6bff56ee6

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 88353e8a3843ec7ea0bb8ede2a66b820
SHA1 12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4
SHA256 d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be
SHA512 86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 5ed0c1872a6c94b31ae3cccbea45dc3e
SHA1 17b9a252f26b77941b74d6eaf8da94bc1cead204
SHA256 7875069172719d2d1ebb2d5d656076b946a058b6a3ee6edce222c638be745ee9
SHA512 d81ebcda3602b1c2a6e31975f27c1e53cd19ef7bf2c01d5a5e6c78f09b7ffbef0e9c449218ddd84bca60db7beeeebf14407a412c32a28c9782c3d2131cd9925e

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 659736d1295e7bcbf111267c0a522e7e
SHA1 9027624b3fbde81d8da8b9c6d8bee6ffbfd3b9b9
SHA256 508f8dfa3049115a13f19ccdbe5bebd123e700894f0b4bcf2083feacfb296b84
SHA512 974ce7c57c094c60541fd23c3a8bb2946fab12c23bcb93fa533e1e3baf376491db0c4e14136a0d1270c8ebf2e8b7da1baf3d96d13683f671e41dd8dee5480cb2

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 580eab814576665d16a0faa6fff2bab6
SHA1 dca3a9c3936179181c3b5e08926d4d02a43221d7
SHA256 ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19
SHA512 4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 b6c5464b92816f3c4af70dd3b6ea48bd
SHA1 a0754528f059c9076393438ee0ff1be4b72c71bb
SHA256 2c9fc7ff57d9289217f339644078f21903d5ec45fea5b00c7023668f76269aae
SHA512 ec6a17aeb4ee780540fca628a0f7fd08fd1ffb6581e36d6a10ca5d6ed6107cb35767318fc4728669443272cfc074bfb2b05f14704f2d70d7213cd482f7aa6b2f

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe

MD5 840ce01435f45bd7cfb31949c5790443
SHA1 8ce20196db0eea2e1b04f575b8de95f1c09fc31e
SHA256 550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991
SHA512 117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 b0e2e6e782fc477e48a2a1ee0acb753b
SHA1 62fad9e245a7661d89daaf01427cc21b82506921
SHA256 a83ecdcca5d65497b9d6c53530f29184ced10bdab6bafa97c727433d9e4b7bbf
SHA512 f833376e8876a4d2bca61ce7cbbaff497395cf80ba38d0dc7a5300c3fd8afb34b7e5893cfa42eefe19edb78aaa0fff136b654b4b9592ebc6082dbac14b3ff425

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 1a1abb9d3c276d49b82533a01e5749de
SHA1 9afe72a88ef8416d4766765e849e4938db2cc347
SHA256 03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1
SHA512 7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 34e4a8246286929b1c1827358c1b14cf
SHA1 8a91b6272e68945707e3f307e076c0e736b339b0
SHA256 710ffba46739131673867faa35ab6488c39395cb7f254e788ea28ac03b8d362b
SHA512 0721153762c062e7c45b37440e492a6fdef8ad90ef51d0782ac06f5a5e04ae39a15c869164e39e1698b449e4eef0dc711d0cd0106406cc1188162b71bf4323a4

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 109ff78fdae41cc0a02cbb3cdc64ef28
SHA1 d973c263d8910893f6cac14c77b23343f9c1445b
SHA256 db4eb81bcfeb99b888aa340b9fc3ce1244cf72aa090bf14caf56bf3d49ae87df
SHA512 3971b1dd7241931c6e94e824e7da0da080b090e9ec4ddfaa9fea0f1dba37e4b0095447aa4b4298daa013416cac270945022d2f37bdca23753fbe19571df38f11

memory/2132-53-0x0000000073340000-0x0000000073AF0000-memory.dmp

memory/2132-54-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2132-55-0x0000000005340000-0x0000000005958000-memory.dmp

memory/2132-56-0x0000000004C80000-0x0000000004C92000-memory.dmp

memory/2132-57-0x0000000004D20000-0x0000000004D5C000-memory.dmp

memory/2132-58-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/2132-59-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

memory/2132-60-0x0000000004F90000-0x000000000509A000-memory.dmp

memory/2132-61-0x0000000073340000-0x0000000073AF0000-memory.dmp

memory/2132-62-0x0000000004D10000-0x0000000004D20000-memory.dmp