Analysis Overview
SHA256
10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466
Threat Level: Known bad
The file 5928745f1d5cab62de613b4c5f558df1 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SectopRAT
SectopRAT payload
RedLine
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-13 16:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-13 16:12
Reported
2024-01-13 16:14
Platform
win7-20231215-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe
"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "@lovefuckwithyourmom.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
"@lovefuckwithyourmom.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | 14ed47f526671c43880f44b6c4b6fc83 |
| SHA1 | 687323418a481503326bf7daf95ce722adcfbec4 |
| SHA256 | 7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9 |
| SHA512 | 212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | 0c4d8185c244c378dd2635dd5e842235 |
| SHA1 | 79bed7df4511237ce5a9571dae2819b4ffe88001 |
| SHA256 | 23afd877f0a4f916f69f778ad94a90a1c615625a8c55645a13285040590fec32 |
| SHA512 | c663c849b0b305ee1b40c46d4c2605640e89ba5af218f41f0d61c0248de1b74eb4bb6240dac2e1ffd5bc85884fa75af4d04adb0f7aa5601a5d5350415c6c9347 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | fd3639e8268a12e045750a3bea2e94c0 |
| SHA1 | ed32180613c3335e9e0e365b48947a1d8871966e |
| SHA256 | fa5499591946494e41a6e63230af10c327beab1cda4cf9bfa571d342a66bcb65 |
| SHA512 | 108b1bf31f6b4fe967c6a429188ae0e73f6e83018eaacc2b419bb521b02bfdd520fd02cb251c09c734e6b6896aad960d132bdbd1ad2859fcc0c23d4c54b62173 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | e7937dd57b97cefa8983a76e784a8f9c |
| SHA1 | bf5f1c9d615b0309357fdf5b4c8a1017210d24c7 |
| SHA256 | 624050639c0943244b253e7371ce0770f0ac27ec23736e7699d4924e03cb2b50 |
| SHA512 | 0f147d3afd70aac0e8fe325f5b33d149443583973b00dc3865b6b3aeec0127957a9c2eb9a5beb15f7151034b04d84bca3307148eff1bc283c8198447750fc574 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | ede747df5a8ff1072cd7a76ec4460015 |
| SHA1 | 30b0322866df61c3b0fec85a069085c6c18f2eba |
| SHA256 | 43db1dba9645809a890effb4303404c528601a576ef78cac58ef23c7cd52fc44 |
| SHA512 | e0393b5075e0e017079ecf4373ec879ba93a184318aa89ea6c576726debe936418573190db951eafb32930cf690642da7c1eeb61ce04e797c1e098043c4c9474 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 86d15c117cd9e112c658d5dae6ebbaad |
| SHA1 | eb26dd6256282600d581fa0ff9b4b8392133b4c8 |
| SHA256 | 00552e1ec01089fc17e6e363b9daaca689a07063e9582cc253d735a4ee37d76d |
| SHA512 | a25d378af9a348a5de91e1bdd838b05f86aa1a80a980f16761be6222883ed52154c6157bf537d012bb921fe7939feed7db79607972b26b1f0ee930ea3bb72b6f |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 6e55341c9a0ce67ba366176da388aa04 |
| SHA1 | e794ecd906a9687daaf6b63e50bd9b45a69d594d |
| SHA256 | b9a8642098cba990aefc2b297c70d491f956e3b29e63f1ca91c416d39f6f97c5 |
| SHA512 | 8709af88259c3132c95d2cdd966ed24a257de0ff0acee7628a9c119c87e70489491c58abef0e352a26ca6867fc2ad97f587085b7a2d0741af939eb7b2e9aebcc |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | d2512657ddd302bf130294d2fb0e0de7 |
| SHA1 | 42bf5e5c89945fa328960fd5357d69513ed80223 |
| SHA256 | b70df0fb66a696e92dbc92e519b105befcd34f9f0c0c01b8986b2deff2294bce |
| SHA512 | addfaab755b1ce4b0e2941bfaee6cc33ee616885daf07e7abd0874aa82b8118d6e84ef9a03bd05e4b08ea6dc5babbb0dc8506b2adac459929ff51c6cce6d4dc4 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 37f21b197d07387261fc6c728e2562d2 |
| SHA1 | 63a019358f9eb1caa0bd5927f3847e0150be0e4e |
| SHA256 | 779735a446e61fdb5773925a8ea9c21e468562ccc66d5d18953cb28ceb883a3f |
| SHA512 | f9a0590bee7559a3ce4edb386192baedd12c454ed8de5ebc686363b4fed507693a14215ad55819648651b7b27c92b72c3e02bae6fdf85a6755606552043ca8bc |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 0ef2ed03ea1507ce522d8a8189e22cf9 |
| SHA1 | e83646afdf8c96fed1212784e013561793def91c |
| SHA256 | 49cc8266f73dd2a8771fb6ffcc6d77522ad8a78e37d8dc50afe06153a53f9e38 |
| SHA512 | 1fc16f9bfb6e3d8aab79c544e06c25c2ff0387c6b117934d4d78d0dd5706afc98a2c854e1114723b95bab7a93d47e27951b2cec0829171fab1098c340d6d940c |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 7a6ff8658b727035517d2364f3c3d330 |
| SHA1 | dac86fc03309964b32f9c929060df3cd920c26eb |
| SHA256 | 9a83666f30fa552e95ccec8072fecbd16f6cc293ecd0a1bdd798fdb0b0a02588 |
| SHA512 | 32b5acda35a99551da599fd4835ae95d28e306b4acddd4ab6592345d37b5444da01784ed0064137dfe6e87c49474eed5b72b42e124098c0e345f9e8f85469b4a |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 92d3f23ea3013eb5288fa129258a95d1 |
| SHA1 | e1678a1e7b6bed32deb57eaa8bd50ec208a00a3b |
| SHA256 | a18cd1947980cfe11a62838ab8fb46b5392099eb8f3311375e0105a5b7838fd7 |
| SHA512 | f8899a1440157385e7f34c2d3935a200caf51426a2387ccee00cd4d4d9c794a34703a688b51b5c370534afce00d159488f226c483145ec8047e8988750e9f015 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 9082560582b613a65120dcde6c3c4897 |
| SHA1 | e8d50dfc85abe2aa00a51d917f35487c25e711c4 |
| SHA256 | 3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704 |
| SHA512 | 180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | a9556a9583021f75ca2567bc98b5f28e |
| SHA1 | 5af46dcd462b4ae84632e929693a547cdf04c1ea |
| SHA256 | 21f50574ee333fcc187659ed0ffa8cfe8fc62a272442a56ef24902f77df29057 |
| SHA512 | 90c133d03f0904f44da501162bd531b62f2d4b985474cdb190e6a39c1ce52a9d7e6ba9db8fc780d6e99fa3888e25dea572fd814595609f90571b6d8d353fd9df |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | df991835b44cdf4a49813b2470bed70e |
| SHA1 | f5a3aec8b312db18663d5c9eb231c3632cfeb867 |
| SHA256 | 91a9aa869359f01e8078163e33a04a299fb6a3d57d255a79116e5f7a46e8068a |
| SHA512 | 1303b76c7186329149b8215f987e9a35a9bb50ed2525d392173dd15063971c2cc2b54d3e1c5ba954d1044ac8891e29290afd71eff932b681e35015537b80dd26 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 3640c9c0bbccb95531eee53bd6f49e33 |
| SHA1 | 2d174c44091c73b5d486cc6a513d8d64580b20df |
| SHA256 | 24e2c8f03c401e5195e5de727fd1b5dc675992301b6d344a38906d813a9efa0d |
| SHA512 | dee29fc01a00d165863b8cd2ace6f9f5f3f533a3da34869eb7b201cdfdffce4b96741b7d7cd38d9c46ccde278fe553eb33125bb49d38ab3edc51f155be405ea5 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | 9679f15a03e532c442b86b99d901637f |
| SHA1 | 43e4579628d2201dc556ebf4d29464fb777e2238 |
| SHA256 | 487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1 |
| SHA512 | 8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 91d23974b3b147cf00786ff79be1fbb6 |
| SHA1 | ec4f7f9db4ca98084cd56b04fc5d8a3b7428c0d2 |
| SHA256 | d80c2d9352b15cba2747ee7d0dfdc85dbf7bd43a3b8ef7407ff671cc3c3762ff |
| SHA512 | 5d3fedb74ac6acdbfba520c540a19ee5b7790b489681a62938b8df78714f29e7681845e4cf53a2d3158d48af8d53c2e607ccf905faf71d424b330f21244a6d8a |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | fafd0a4a565be90cee0b1e7f3a7b27a6 |
| SHA1 | 7c99b311f30d9a2247f7a72cbf6c0b376a5ee64c |
| SHA256 | 0e47473107c2d8f9578cfdc6a977de769d35ad4d234184acd7088936c97844fd |
| SHA512 | 243c84e6c2dd61916b8b3d4f626ccbd73ba52946c03e275ba26924075cbb7ed302ca24a5c148e51dd69f985a0e40991920e17f3798e8f05074ccd6795da0694b |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | af5233f6d4c806ecc112ee4b7623e4f8 |
| SHA1 | 53dcfd03b40a0dc7a6491745cfbeb8db23e3113c |
| SHA256 | c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41 |
| SHA512 | 1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | 634d6c3f5f2db3c90c31bd36cb840181 |
| SHA1 | 523f20c550bcebf938f883913001feca14d12233 |
| SHA256 | 841f9f9d31efcc110ad8ba8a550e285ba5398c322fe20d0843db23a9c027079a |
| SHA512 | 41c02f3d2293a775fbbc1c45b355155a89dafa62b1c8b38a0d9935c248545c9944c8d36ac4b1b58139785bdec2280d4cbdc8f5357b6187635f181755362aaa0c |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@lovefuckwithyourmom.exe
| MD5 | f715021bca8947192b494a037ddae36b |
| SHA1 | d2a70a50a0258a7d471d3f8043808f962282fc7e |
| SHA256 | 3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62 |
| SHA512 | ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | f8fdd24daf1aa469ac0e32e9b1459ab6 |
| SHA1 | 23dd9dd5b626c364a964cf583b045c8197b12d74 |
| SHA256 | e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949 |
| SHA512 | 05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 01b4d7a25878352f6099baf08ffc4e98 |
| SHA1 | 00f135b1f057aaf13c7de98f2ccf4eee83a6c538 |
| SHA256 | 554b10a2d4487368d996c035c09fd521d25df2f411659abd03aff9ed91f4e641 |
| SHA512 | 8a7a5e249bd2fb6c678c52bc25dca4a4d7ff9e16e962ca0dfb6d0c02b4ca27688b0163c7a146e87310d7c3b70235e5357a095a56a7c1f0024c5d31e036dd3e33 |
memory/2612-58-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2612-57-0x0000000000BB0000-0x0000000000BCE000-memory.dmp
memory/2612-59-0x0000000000B40000-0x0000000000B80000-memory.dmp
memory/2612-60-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2612-61-0x0000000000B40000-0x0000000000B80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-13 16:12
Reported
2024-01-13 16:14
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe
"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
"@lovefuckwithyourmom.exe"
C:\Windows\system32\attrib.exe
attrib +H "@lovefuckwithyourmom.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 75.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| US | 8.8.8.8:53 | xetadycami.xyz | udp |
| GB | 96.17.178.174:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | 14ed47f526671c43880f44b6c4b6fc83 |
| SHA1 | 687323418a481503326bf7daf95ce722adcfbec4 |
| SHA256 | 7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9 |
| SHA512 | 212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | 2b2666ebfdc9adfd2fc1a0d8a84d2f75 |
| SHA1 | 86a788663a2fb29441e3bb4aa823b609274d85f0 |
| SHA256 | d16f59ebdd3b51758a753c1503298fe0bd14217e0c8ca648259eff247f4cd403 |
| SHA512 | 5e8ae5ec4d2a89b38f2b57408e90286ec9a4add5adc042ca95e2169f54280b7737e47dd811e53536ff0b3913b2ea692fba87cd799c168f4f51b3a696de45a2d1 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | e1fee3d3780c73637252b69e44f3e85f |
| SHA1 | ea3255fd0b61ac92323a91e2463dd20b44edf66e |
| SHA256 | f01b05966047f5d3931520d1ae7c85dd548e7082699dddc2503a5c42063bda3f |
| SHA512 | cd5455f93330f03f9d0f4c2771ee32ea799332b5dc937a2e7b3cae414f22e7b4acc32225abf161c2070163f6e300fce6c5f1b25f3ac2ce51c609d0187c2a5f62 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | bdac165c36265693370205114caa5ee3 |
| SHA1 | 4f5fe76e41f3cced90330b320bb8144b408f9fd5 |
| SHA256 | e1f8abc6554a84ccf75d9381de5e2c36fa87ef753195e8de9483de2c0aa3f191 |
| SHA512 | 1bf1d87512878b0075a71c1fb1653fe34c3e4706d7404c89185b7adb29f83477e0d00374a3c4d54a123cf90fff8b317f9a50881b9708513b6e45fc1691e7fd3b |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 0ac45708dce897ea32d6812fe54898d3 |
| SHA1 | 496f87ee4c39b8227d21d52d2d534fcec6438345 |
| SHA256 | f119981b4e6b05c6892e7bd1dea9b2673594f66daaf1176fdceaa4402928b003 |
| SHA512 | 77ed189ca457a1e2632176e46ad872f8edb691ca9d675b41eb3edf096073c664cf69f7fc49d322dddc9eecc0be1f250cfc428b58262d536a271a3fae9b247acd |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | 9679f15a03e532c442b86b99d901637f |
| SHA1 | 43e4579628d2201dc556ebf4d29464fb777e2238 |
| SHA256 | 487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1 |
| SHA512 | 8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 5ccdaa140e9f3518e64b6e8884df5398 |
| SHA1 | c39a7a3ecca0032e84246a4da17b6b8bab671f91 |
| SHA256 | aabadb4ab4cfb509ae8be07dae1871e8525f905252d83a57f67da616862e3b35 |
| SHA512 | ae13ec1ed7ae8b65a490b15fc6024e5051f5ef29c2f9f2daca5c616ab1924e6ed762077f2ecdd96ba2e817d1d6210fbf5d937b5b326ec2950dabbdd619ba6f8c |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | c01f69339fc0f3ef16f8ba3786a1e365 |
| SHA1 | 52db3644a3dfcdff0732a3b743054b72c087283f |
| SHA256 | 67c037cce11ab150d0e447a3dfe1b502b85bd777e739c2ba4e0d23f79bc9c293 |
| SHA512 | 4720c5e8cb2dc504e9780b178973a342cf805f4076254ecc08876ce609f1a8c36a4f436aae892514de42a0f4398f775f2be4629e583aceb387ac2d03dc87dcea |
C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
| MD5 | f715021bca8947192b494a037ddae36b |
| SHA1 | d2a70a50a0258a7d471d3f8043808f962282fc7e |
| SHA256 | 3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62 |
| SHA512 | ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | 2fba0ef603d9b47f29bd69bc7d742bc3 |
| SHA1 | 6ef6ce5db6e19c082e7795ea9638e58b22267da7 |
| SHA256 | 04cd304865c4f2a5a1a40cc60cd8a4165af1a6e299c46486d933e9f4cf9b7652 |
| SHA512 | fca6b2dbc922351cbf78cd70b37364d8f333f078f34f7cfdc34dca108004f27c3dc9accb69c5fb1469cc9344622976656a7a5979966b1ca272787e46df2713e8 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | f8fdd24daf1aa469ac0e32e9b1459ab6 |
| SHA1 | 23dd9dd5b626c364a964cf583b045c8197b12d74 |
| SHA256 | e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949 |
| SHA512 | 05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 73d18262d494f3b4f7b279096b706022 |
| SHA1 | 2858c5bd367f18a1936ec4fa00d2ea820af927ec |
| SHA256 | 1191f1207072a5af094b3cbf204b3575d6adf4695d0fdd6c71779a98e150cce8 |
| SHA512 | 3b25da3326fa8fe1acebcb1a315e325f0525beae99114c8f672db5c736ebfd2131ced1beced6f9df71e2ce274ae66787e103c29eeb8f7ec285aab4302d1c748b |
memory/2740-47-0x0000000000440000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 9082560582b613a65120dcde6c3c4897 |
| SHA1 | e8d50dfc85abe2aa00a51d917f35487c25e711c4 |
| SHA256 | 3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704 |
| SHA512 | 180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 6e7f44d7e49dd8489800f51c52cf9b42 |
| SHA1 | ab014142cae263ec1ebcada6cd9386a99f7b34e2 |
| SHA256 | 941b2a461e38971206e4cc7e9c08bae0641580aaecbb12a231e12feec2598566 |
| SHA512 | 6bc1f37ac57c48bd5853dd55348f89ecf0178ae4e44cdb7a0c68ec1ea59165a24a7a241fd4d164c6d9dbba5b31e43937041902a137b6f2f441986c50054e0227 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | b899b8cbf798b772b21f4a66e70d7214 |
| SHA1 | 5f0c1b1d3aaaffd77f5de7ec6e1ab7ad8dad4a8c |
| SHA256 | 921e44cc8144af642e3e420d66060a97c5b0d04f415783420f7c20d391c6ca09 |
| SHA512 | 2b381a80fc7cc619ffeff8df38af61e95f23b6d09c3a461533c07556285a1dd1a88fecbb7be51416ec0fd83bdebd1c590fb6580ff3c9ef87cfbbb2e5653f2dd9 |
memory/2740-50-0x0000000004DC0000-0x0000000004DD2000-memory.dmp
memory/2740-51-0x0000000004E20000-0x0000000004E5C000-memory.dmp
memory/2740-49-0x0000000005320000-0x0000000005938000-memory.dmp
memory/2740-48-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | a7d8c374a1af75b4ae33ec2d676b18ab |
| SHA1 | c569b32fb85d97d75e49570a2bcd4c4b35257e0e |
| SHA256 | 31f81296189821e78508ba43aeec6fcc36a1e8de4e408a0178802780d293cb0d |
| SHA512 | 455e6501b0dfbda71bb627ddf8532f2fa664e52ad1796bc25a2aff78766eb327f98263e32538efaf1ae1d6add0ec30f1103ac4eb93da2faabb37c86e3d7dd5dc |
memory/2740-53-0x0000000004E60000-0x0000000004EAC000-memory.dmp
memory/2740-52-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | 574207deb7e8e0c016fe25a825e9ed90 |
| SHA1 | c98fab2efd8a759da5e49e86644cc9ba21936d6f |
| SHA256 | de78464ddca54d3695aa7010ed9d9972d899d76000fd4b4feaa30e756f30bdd7 |
| SHA512 | d99b762c86fd3d12fac0acb889462fe82ee9d4221b65d984a0c42fff05f14be0cbabfab7f2138eed477edd63f81e9541f386f637e767c86c7c049cfb4ff62bce |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | a634e737a02bd2a753244cedd5c7e4c9 |
| SHA1 | 4c62c69503559c20ced8e5e6c5b78e0db0489c47 |
| SHA256 | d9af7e478af877b40f6874c1c75d5738d92688f1fe94e267652b47f70a27665f |
| SHA512 | 74084f193187d3fda6f19857b8e366bb24d64e769fc3aa68d3d7c5630bdb2f061fceeaebd91b2a044b41d829539f6f3699e8e3ce462b40af99c9d3557fa1e06c |
memory/2740-54-0x00000000050D0000-0x00000000051DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 14b6af849c769dca4b2767a278af1631 |
| SHA1 | 0cc2c472f3e6ed2918ec5bfc9eaab2d47ba0222e |
| SHA256 | d3a85adace40351dfbdae6be6562e0d5260356355c81663f7ce2955daa0bf24d |
| SHA512 | e4e924e2454a849e914ce68b647193773cf7a7afa0e81b50af4c6b8b94faad065901fc33345e66aac59915e7f1b2bd4ea6161560b01d858811096a93cdd85019 |
memory/2740-55-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/2740-56-0x0000000004EB0000-0x0000000004EC0000-memory.dmp