Malware Analysis Report

2025-08-05 11:56

Sample ID 240113-y76azsdeem
Target 5956d4f7e7ee67784eb1144040e52b5d
SHA256 3bd79a5e14e5c1d9d33230d737e40c877c1bcf5eaa750fbf15eb9791b88a544c
Tags
redline sectoprat @kosmostarsz infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bd79a5e14e5c1d9d33230d737e40c877c1bcf5eaa750fbf15eb9791b88a544c

Threat Level: Known bad

The file 5956d4f7e7ee67784eb1144040e52b5d was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @kosmostarsz infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-13 20:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-13 20:26

Reported

2024-01-13 20:29

Platform

win7-20231215-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
PID 2772 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
PID 2772 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
PID 2772 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe

"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p___________7524pwd5130pwd785___________ -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

"@kosmostarsz.exe"

C:\Windows\system32\attrib.exe

attrib +H "@kosmostarsz.exe"

Network

Country Destination Domain Proto
NL 77.220.214.232:13459 tcp
NL 77.220.214.232:13459 tcp
NL 77.220.214.232:13459 tcp
NL 77.220.214.232:13459 tcp
NL 77.220.214.232:13459 tcp
NL 77.220.214.232:13459 tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 1d7b05e211d49a88d01c05889b868722
SHA1 75a005a63c322ffc539a8580eb7dc88fe8f06a76
SHA256 34be809068ccfee8ec7c49787034ad5b16bbbe98074e797cbf4bc07d71484487
SHA512 b1de87bc31eedb8ae7dc08ba43b8db4334610e7af84f31ea4d61aec9946f4f3b35f0d312582d490c636c0ebb5b4747e8535e87fa00ed67949558075009efc2a0

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 dab78c860a4e898033cffa46bab77d0b
SHA1 60daffcc924b6fe66a1634efa8bcedd03aa9c5e3
SHA256 fd626d3c4f0668b5590fa0f68474cea51c50ed364ac442923801ff24d2e3beb9
SHA512 d84d8c3d9191174a181b79d83bc8e609f33647b5a75fd43a8997e8c9c4dd5eec2ca0da0fc9de856953ae88c480ad7af932f23ae5d278db8b78416aafc27ff8b6

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 639b42fe74d1b9b9989be4887d370785
SHA1 41d006f208d917a85091da85c27887585d0cc3bb
SHA256 c85fb09843feb4bd942432d89c06a8069efd47fd230f3986cd59d4f37236b6e6
SHA512 c7a50fce1dbea123eb51e25866c7718a52d8fe7a4e7416eb7a0ebc132ada0a26ae0ff7ed92665af1b5d4e9e1c94d9802f1d680122ff560594233814b516ef596

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 ffc1cfead036a41f424c4425db0d4131
SHA1 8f6daf42f933f6a485f94b4c4ea3a7a2e962a787
SHA256 a660560703b906c5087d9a95d85d70c58f8c936133f6d60c398ea33c326a8e8f
SHA512 f6255f1e89e3eca5db954cda9f19952c3b1366bff627c11fbf75c771095cc16e0eef16a4378c35798e79802d9083fd15f51e72b9b00d59be86e3d7b216469618

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 100b6ffe902fca3bab65c4e6b336507d
SHA1 078faef7667455ec9e67dd82a837eb6f9b12e046
SHA256 61c889b29257fba4555011ea0503ea729f21834f967dca748ab2f657160b69e3
SHA512 a5925911412b1201623103b0b15d6b3ac9db1893427e161db5382f815cae5104aa2391c82ee6a30010295d9ca421a300140bfde3adf54735298ab52aab19caba

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 f19b29a2c96a75b1ca888342b63a40bd
SHA1 8b60db9ee487c901811c2caca19dc9b2fcff30cf
SHA256 20b1089fbdebc2cc0c313396390445ab2f7eb36b83dc141cfecaf120a97e4832
SHA512 d5d9bee73f22042e12b0e3ded9120d771c9a71c236a8f4e82ffca52a57b539ce5e113b3374c71de3cf149c41d0500c1142276288c21487d9e23c5d9e2f0d7b34

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip

MD5 57549ef135b2a0a56ab61585e99a295c
SHA1 2c1c72a42803f8e9dc45877dfd34e4b8ee2f714a
SHA256 1fd677ecd856fed73c5f3e8ef73223377f07929afce84c11fe9aef0113819d15
SHA512 528038d0dd5cda1153fd27437bef87bc9d1b319afcc7d9e49b2a9e5342bcd4562ea3ce70d1e080befd49352b1271939919f755502ce4344425b578c12e6054bd

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 df3fd879e7af9873cfdfedac9f92f937
SHA1 2ecf247a1bb715aaa1b1fcdaa347c01c112a8510
SHA256 bd4c7f64e622af8f101919a872fa19103fcbfad51496b7cbb586d786476bb353
SHA512 08cbbf0fe2e00fc14e528f732ada2acfdcea3908031e559a70a8f681248f1d277faf4ff06e9c7ab818e71a852c41ad7fd9f62b22af15e9703e051c581c38e239

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 e859ec806349adcef0480e2587a020f2
SHA1 9b8fbd42f4c75670f2dbde3a66112bd37822942f
SHA256 5167f8103d7d6dd59470a7f76e38e4081948a312eed503428340e80eb449b92b
SHA512 507e6bce9c0ec6dbd5ef626a5d677d0ba45f04b56a34e28de7763529e53bd466cad812da4bdd944c8d4aadb9b4abcacbfe05adc8faefca6aca1c5d0132d88d70

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 257a35faea770344444e3804cc3081f2
SHA1 5ac700daa72484aad19fcdb40a6cdb5d402f94ab
SHA256 26e4419a350e9a420f10a37b059063ca76b96f8a88eeadb0ce82ef8503671c10
SHA512 7564b8c8a55ba696a949ba7d7acc5c4a53068e2ef01419d01f4d326d96bb69b8f193addba1fd534225c4c9b4f752176f72bc11b4154bea3a7d7daae751627821

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 a2eccc168c34ee2fc6ce60874998b595
SHA1 693d6b62053216ac7c93618bdb501f87d66bd861
SHA256 abb205e3e1836637de6408b48b8230e205b8f7844def4d45a45bba54f6c12c63
SHA512 4cf5a29e7ab92c76df43ef7683c1aca92621af1f8571c1d7332fcae41c23e4941ef28cb278999ed5f1b120a9994364db4e52bb324a4dac347fdd4c2a1444789f

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 0314869289a38fa4b16bdd3ec253f92c
SHA1 4e513720f5ed58b32b962d33295a81305c42a851
SHA256 2988c1621b284a40a1c039946018f14374578c9624cf603c97b63b578428e91c
SHA512 0a9e7febeb2fa16f927b5075b001fbbb4100d3edaa13dbd08bffa8ad20c0b5bb2d37504b3517990150bb8d13cc7ff95776e93556f522ea2d0745f54ec2da401f

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

MD5 11ca0d3ad67ab953a087c784e55359c7
SHA1 ed0afd402a62f50a8c45f851acf44c40843a2cc0
SHA256 bc3e6da2f38eae41d5e72d2adc22af21d087d13ed53866ab63c5a2dc5fae6b09
SHA512 64a8feda34c6f7151b94532f374d7740d0d4a605df1807248b7aefc5e6e963d2b6c7484bba4e737d13b0c9c76bbb3e17137633a30a1c1ae5628247965075c3ed

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 a38db839b3c07fced8999e27d0cf1f8f
SHA1 e102a4ed6d808d83583f4a8cdde3b66995166c49
SHA256 26c74029c7d211eef4934736f30440b9c19c4cf00d34c985c3638e3b4e8177e9
SHA512 cead54ddf5524ffad5eafff65fe264a0993a91d535e2220ef32218dd1562455daba2b5126b95335b229b7f51d23128582a516fe6a7871ef799ca2387162b2541

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip

MD5 b160972741741f13ff1a675cf5f90189
SHA1 d04a6d2bc33e95d9c7ac1996f3d755e0b018fb7d
SHA256 fcb40b104e234ac18357146d87b2a5089e5a9cf0194c1e8405cca0338fbb2b98
SHA512 739eba6788194368f0abb5050800bcceea82f5c17162de6394743eab4d286b96226a874d37f54e0d486812ee29ccc95909df9238746c8c025af0c46efd14926b

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 9569cf4c3298c4adb84fc33a932282c6
SHA1 c57dfc5aa30ba4a2f2b0064ccda4cd52d5dd8194
SHA256 7fd7537b1cc83446e837b6f8c61dfecff6ce623828bb712dabd175c459beea4a
SHA512 67b8d2ef187a0be623f37a867c0c9565ff1fa8671690bda5fdefb27710291f65702904cc97b979d7bfa3334226781f2ac70176cf53f192b25b4c706b5d223ef0

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 23dcdba96e5dfefe9b8150fdd7ffb853
SHA1 845f3b12e40ca218a0f4bff9d02a76f9dc74adea
SHA256 45c0eea60d8ec57da2a920b45276c8100ff8bbe7a22240398935a7252ef1075e
SHA512 655583f558e6df94570c704a1cbb41f94f0ac9c8066b5f42b9e4dd44516570c8515fbad94a62386ff7850e55565e6fdcf64c7776dd0697985a770a73ef28ccb4

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 dcd4164e190536fac877e3bb16c73ebe
SHA1 71e5f928a743071a85d32f8ff11950fea28b7a4e
SHA256 29e5db116c95a5e281aebf6a88177c0cf712ccf0162230450c44c5ec17d60836
SHA512 9914b69a8d01f694a204c5832c893050f40ea315391a10bcf15cf2bd8a1da08f36fea3edb077060d79ec363d94198efbeb8f6f3b7b603867d1ebca17c3c0de51

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 3877dc074925354b86d83610312bb695
SHA1 be2d994e60a54492fb73b21fdf7734d8a004b6ab
SHA256 22c63ad845f65278fd099817c4a50f69224f68d100916f4e898dfbd48a74324e
SHA512 b4c0a32244b2eed759354f01fd665fdea585f44625e3f59bc3167eb5f5cee95c168cd1bbc185ff105c7a76747246114234ed3dc9dad0a258c545f8fa24cadd16

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 4bdf4e0eccfb4b953a4a882a12cc8128
SHA1 3402aaa7c349e8211cb5a14cc9e84e4496b2d61e
SHA256 c3cd186249147de119c1944b4cc9416ca94af95ce4505353ab50dac54fb8197d
SHA512 6ba178fa8cc97a7181c0cb667dda34a2d848237fc30f9f5932dfe12d3c61fa238c5602416ea285bcecaa2684c1c9804fe8d1f364521c3c76216b7afa99379718

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 189002b15cf2c89daaa3146f8086518c
SHA1 e2f692f11aea5926ca45ccd346be5c377c9d2d44
SHA256 778f6e656d04a21d81ce716d93170110e646a63f53183b6d79d25417aa114fe6
SHA512 b8467aba9c02a19170999619162791cf8fae897077edb3510979f161c0337deab714ede6c20b11d323b2a6442ced9078213b3654c2f4ca43b0e2f6066d4264c3

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 4f9d323b4010c4756e7c23e00c016f04
SHA1 0720ab2eae766221e9073070b3512210dff14775
SHA256 cafa915ce9cf8a5857941066caf7799d877d9a5d55fde72dce059c7dc74537fe
SHA512 216a9d08c418f1c115199e0d4c0ba0e62ca05f4f15e6d0ac6cfb89b9c9c32bc286333031492fa00423e141311d4cbc1d9ff861e4d0865554b994cc7edd83db7d

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 96f14197a7d4156e9b99864cdf2211c6
SHA1 1effe1949879bca83aa960a00aa0f3bcebfea7be
SHA256 17f98dae05b5542a93ed3c861ddbbf47d41984f4191be3db3743eb001e02a64c
SHA512 52c1da4b2ad74a5f83660512d3022869906794ea95ba37b18851598a4f5bd69a62e1a287d240895219e2405495190171d0d7d4ba4ffc097f90aebccd89eac611

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 892cb5b2e95b4d80e48af7c25e7670ce
SHA1 d4d522554f7a2ea1b0373ad26ab0ede9f5660ac8
SHA256 c2fd055b92e3b3741d46c5737cace1d84b5158ced305e9f5cd3ad9b6c9bb5a1d
SHA512 b5a4e3585efd06ca83fa46cf00237e6b2c92e6956826162cf2db1d045c1b1983a860d91dcbb927aa5dbb51c59715b2befb3468b4b4bdfb55cb80d006795cc3e9

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 fc947be1e2936ab19132b0a2e9273cf1
SHA1 50d59332ec8878661eba457a90e93bff6342c035
SHA256 128a5605da18aca664deed7059d24e06bed6d7e28e30c8a3e35af7d2322dddcf
SHA512 80d80e8c63709f7bddc9f1297e41eb6ab8e0647709893a8e434d5657dc6879e5075a5082d345c46c3b111ce70492adb00833d60e8e3bb4915eb26da0189c8248

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 fc966582808e62ad9b68a7628e461015
SHA1 e2c7693536eaae63c821910979f541e004fbeda2
SHA256 0baa6a399f4d5830a0cb3c4e7ac56b7936d9732514cd29a483dffdb76b5db935
SHA512 29eedfee4a24dc0035a2e425b93dd02926ee07d23936f4b3071b8ccabc93bc9989782a3429b20734440f656be6e37d078d5246ad3fee0bc429b231b22e6ab5e6

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 6cca6db337dc2a6e137cb5694e1ddf37
SHA1 173d7d8f41a4828c271ddeba7d41564ef0b1859f
SHA256 e435711c2c0f0920022eced854a79e84c678d387fe60c6280def899588d8b156
SHA512 e7970350c475a6a65cf30e679055b5d1c8533717e7b1d8cff375012c6596440929c3f87c88edaa48d2ebf614263d7afeb0137037ecf30c4d5a1764e7f19c1cae

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 35986967c70d3d917dcc7b48a3333f70
SHA1 17b5eb8f675308ab196c507ac31515604b811d1a
SHA256 a01fdedfdbcd10210b3f32cffbcb6e8592ca1a0fb1ff15517ea668380eab2a0a
SHA512 6148ddc6f69deb17d4b84ef14a3a6e43b75304f2b1bb0498fba8a4ae666d753eda602e10d6017c044e0652cb32acaa4715339666d1f39bf04a80b6ae9b70d46a

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 a4614dce9bc261316b22b702b8fbed71
SHA1 74face98c023c93740cfcbaef480be353b46baf4
SHA256 d219f4e62276fbf6b43229b37e8a68e26bc1f782967ac4fd46f01b47553d401f
SHA512 30920357c94519b6140a3e598e1d17f73e76846fb4e70fdb14c2b36023c2332dfcc0bc09939b689bf40882ea9c30649a856a24b1b9c43ba6d1392f5d0cf9201c

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 e45e4bf963b7bb8bddc7f14af3495a58
SHA1 0c49074585c3085b5ba3f42f6439848d0cfb13ed
SHA256 0c4fb7ae68ed66d78de63ee39fe4c8c2c3e2f3298ef8b48f74aed5419264c4b2
SHA512 0061da7dc3130b92ca6a0c8963aa18a2ae2b9fec984c0d3b38c7f0b5e88700e654f35b37eb761dfcda2f7624301d87678ccb32fabcc722f5ab4a9dae65bd2248

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 02068a80d865e25d6b60acd998b86174
SHA1 874e677405022c00587a012fb3c5fd88c139b45c
SHA256 af50ff6b99cdf11e67974f60fd63d28605d2c1aad468427c6dae6bce71f9222c
SHA512 db6a05b559bd9172f4af8c1e4c760946b80a09440a3751ab95a7a5a901cb58d9314b6d23a7a4794b66e18aaa7c4441298ae4b7817894a0f92ea5eb7d8ba73111

C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

MD5 517ca6dd37372fe69c530d732275148b
SHA1 44f921635977d110ee44f76246bedfcf94da5e37
SHA256 ec1957656723a8674237848c6ad4551d35b4cb00465dc337dfe1ce2a8abfaf81
SHA512 c49a699264269f9dfce6d33e7ef98769c24d55da25cf98198a2e86d1f2b93e2130589eb7b44140bed4faf414cfe72e7fa46d68d2ef582b221a77c4eb44ffed09

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 0cb6104aebddb1aef009b9c8ed6ded94
SHA1 2a8ef9c593d27ca19ebb53daffc0cc8295ca23bf
SHA256 b8427869a2a80e6ee0264e02e2aa60d360d998958bea998ea0313d2b0697b13a
SHA512 9808f048595764735c1274d92da85e16ecf820aba2bbd34a997222f88bd124450e9322eeb2ca2e5f5745dfe0f04b9800a857e8acaaa1c41c7dc25642932df13e

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@kosmostarsz.exe

MD5 6a787a34b097237f3739f08be4b3e39e
SHA1 d979dd7c02d80677c30315d8c58ac0cdf29960ad
SHA256 3c0d90ae7ea976edcf777dcfe4e89b9b44b3c6a9ae3a07c06149632f75f5bc42
SHA512 01fa4e74cb48e085a20bab002a8bdeea42007ad415b7b6682efd28649ec3f5dc62c893f4da036a5838ef6a37c77900fe0a26052d5bc47be606cf495e262d5b15

memory/2120-78-0x0000000001050000-0x000000000106E000-memory.dmp

memory/2120-79-0x00000000748D0000-0x0000000074FBE000-memory.dmp

memory/2120-80-0x0000000004C20000-0x0000000004C60000-memory.dmp

memory/2120-81-0x00000000748D0000-0x0000000074FBE000-memory.dmp

memory/2120-82-0x0000000004C20000-0x0000000004C60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-13 20:26

Reported

2024-01-13 20:29

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe C:\Windows\system32\cmd.exe
PID 5012 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5012 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5012 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 5012 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5012 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5012 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
PID 5012 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
PID 5012 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe

"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p___________7524pwd5130pwd785___________ -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "@kosmostarsz.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

"@kosmostarsz.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_6.zip -oextracted

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 77.220.214.232:13459 tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
NL 77.220.214.232:13459 tcp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
NL 77.220.214.232:13459 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
NL 77.220.214.232:13459 tcp
US 8.8.8.8:53 udp
NL 77.220.214.232:13459 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 77.220.214.232:13459 tcp
GB 96.17.178.180:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
GB 96.17.178.180:80 tcp
GB 96.17.178.180:80 tcp
GB 96.17.178.180:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 1d7b05e211d49a88d01c05889b868722
SHA1 75a005a63c322ffc539a8580eb7dc88fe8f06a76
SHA256 34be809068ccfee8ec7c49787034ad5b16bbbe98074e797cbf4bc07d71484487
SHA512 b1de87bc31eedb8ae7dc08ba43b8db4334610e7af84f31ea4d61aec9946f4f3b35f0d312582d490c636c0ebb5b4747e8535e87fa00ed67949558075009efc2a0

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 0aa81c8e040ba6aaf6c0b0ed4b41dd39
SHA1 1834993aae92cfc643d45791a036d7b11235ea8f
SHA256 e98211a17028c5a1d7fd96b2bf2b30843335fa87d7d2baed52c583061a2ecf31
SHA512 1ebcc4dae791623905330eca7d0bb847d1dbf7f22d298d84919453930ca89aa35c4331a8c88429dc86403da8ef627f8c9240e88b7b43c33eb195ea82c4ec6103

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 17449cf312563702700ca13925f546df
SHA1 735e0d249c9f3cddfb84288e25d0027567eab5d3
SHA256 428707fe99de202cb8e9343f1e9b40e3feb8d0217cd33d5b9269eac2ff5fcfb1
SHA512 6b5d866bc6b25dfb1a19caba91c6436dfbc2344b7deb61ceb0a058281fc15f90da4a1a8c70405a4d6fb9b0d8e96fd9e352b81b4990609a30e5cb9a728b5a7c65

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 aabf2342fbbd5cfd999aae351ec2fe21
SHA1 bad5a3306830d911d1c65fa77fab656db366bfb9
SHA256 e06e4fe13ed36e122ff56f4b95089786bbad844bc1e945cd3c723726a978d9db
SHA512 24b17323bcf239ae75fe6f3076e5a5ef6c75ad58a5ed2b424c75c2bfd1b66b8c087a85acaf6093d69514340b058b0bd9b81c100eff7ca784fe0ce5c332594470

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 ebaaaed537bf78c4b96c5fa4799e84b5
SHA1 efa5b609c4bf09337a37a41c424c48bc69ae857d
SHA256 faf1c25432b3df909ed5727f4f6ab089524b3a986eb06bd8a359f31d5b16a181
SHA512 7d48ded85adb591e12b3dfcab9c93d325be0a641346bccc41f8871464aec2874aff9c41aba53e506c23c4d60084550dc53b56c14c1b3d6514640cc5f6c0957f5

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 60dd51a113f7c59c8cb7d975fb3ce1bb
SHA1 7c166c5ecf691d51e8fe468ef5420dd3535fff4e
SHA256 7cb9bc7e35613fbbd5cb8cae2566d3ab6d0192e9d25b1658b084f4c69965bb9a
SHA512 883dc6d532ae0e3e951685a1c55a673928b58768d44c64baabd7d4c464417987fc42a57e5b1904d06993784ff53c96e9602f0a97196bec1014319a3eaa813dfd

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip

MD5 8351001ec8738c0b2bf81f8b5ac3c5b2
SHA1 d999d1b6e342690a26426e81bc42b5edfaf8fabf
SHA256 d9cd94025fb45aa96c01dde44be87059814618a9e907e31306507e43e969867d
SHA512 60792f919bcfff0a5b31a1be8101ec70e9d12a8305ad7a9dc2e565bd4a0c87ee88e111fa5161e840733ef2a0c6e3e1845079c3988a558fa90dc52159da80e3df

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 e8a4c9de0f949d04ee235e540e4ac709
SHA1 901016b16e2fb0c9cf60957b46307e2130fdee68
SHA256 fa285f77e9883ab6b852ac41511e4da5059b4f8849551c2ed5ace15b9272fa4d
SHA512 2df8e89c925e2de8516bee0bb4c2f9503b572cc812362f6358acacf5456f9f0ac6ee330f609bff7c1601716a9d216b49fd33c9d2ea5033331108d4451c83ae43

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 a020df2cca4d6b6c9310b93041ff3bcf
SHA1 690b31ea15015f6927c29b3c4eec05e3f238cea7
SHA256 a78107ee7e531829793cea070d4dd1147e55ac094c11650253ed3f29310c92e7
SHA512 916ff477051c03fa50114d0f6cef98d34f5ab9234f8662d956b5fd1475a4bd7947e1067a55dd29263324dd5fd24dce037286cff8160feca079fe0d458741e7c7

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip

MD5 b160972741741f13ff1a675cf5f90189
SHA1 d04a6d2bc33e95d9c7ac1996f3d755e0b018fb7d
SHA256 fcb40b104e234ac18357146d87b2a5089e5a9cf0194c1e8405cca0338fbb2b98
SHA512 739eba6788194368f0abb5050800bcceea82f5c17162de6394743eab4d286b96226a874d37f54e0d486812ee29ccc95909df9238746c8c025af0c46efd14926b

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 06e89058c666c455057603a09d5d29c3
SHA1 011e7f85f637472653807e6f586bcde571c33cf3
SHA256 243668a94daaa6bb247589cef5ed29249841d01dbe7655366404264492181569
SHA512 7a68a8ecaf6b9cddbcd500c78fb0f9b8c360f0086b43a5e5a2806197c11a1e4888a34be9dcb938ca59357da0135c15738e2906ba035d33c820dee71014e6cb9e

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

MD5 11ca0d3ad67ab953a087c784e55359c7
SHA1 ed0afd402a62f50a8c45f851acf44c40843a2cc0
SHA256 bc3e6da2f38eae41d5e72d2adc22af21d087d13ed53866ab63c5a2dc5fae6b09
SHA512 64a8feda34c6f7151b94532f374d7740d0d4a605df1807248b7aefc5e6e963d2b6c7484bba4e737d13b0c9c76bbb3e17137633a30a1c1ae5628247965075c3ed

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 4bdf4e0eccfb4b953a4a882a12cc8128
SHA1 3402aaa7c349e8211cb5a14cc9e84e4496b2d61e
SHA256 c3cd186249147de119c1944b4cc9416ca94af95ce4505353ab50dac54fb8197d
SHA512 6ba178fa8cc97a7181c0cb667dda34a2d848237fc30f9f5932dfe12d3c61fa238c5602416ea285bcecaa2684c1c9804fe8d1f364521c3c76216b7afa99379718

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 cd18885674529ab83a18279a060c3f37
SHA1 bfdcf9220f26ba003fc2d5c0ce6b13ed5df3608e
SHA256 bc5d3ca9dd4e302696e34c4ff74382f86fcba451ae874aac6288b24ad4ab8bb0
SHA512 b2a8c6da262c829b6ae360f6187fde3cf4a56efe72eec1ff003e379cde66010e1cd7b529ed4ce5f8df8b1eaff119178fc2974d6c3e03873e52594920537c2e76

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 ede0e34c216d4cf7edd87eb5efec2430
SHA1 232942a370e40a83ac88ca2ebd224dd02aa9814c
SHA256 596a6ef55bc229719082a7170b01fae3a1ca4e5f65b03a1142929d028f6c48c3
SHA512 976e9f834f88d8683af147c5e74a50811071e0476fad79c65f9df795dbaea615d5e4ffd1379c1a46095a262630397f017722f8c366729c3a7b5824e07a17e890

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@kosmostarsz.exe

MD5 6a787a34b097237f3739f08be4b3e39e
SHA1 d979dd7c02d80677c30315d8c58ac0cdf29960ad
SHA256 3c0d90ae7ea976edcf777dcfe4e89b9b44b3c6a9ae3a07c06149632f75f5bc42
SHA512 01fa4e74cb48e085a20bab002a8bdeea42007ad415b7b6682efd28649ec3f5dc62c893f4da036a5838ef6a37c77900fe0a26052d5bc47be606cf495e262d5b15

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 35986967c70d3d917dcc7b48a3333f70
SHA1 17b5eb8f675308ab196c507ac31515604b811d1a
SHA256 a01fdedfdbcd10210b3f32cffbcb6e8592ca1a0fb1ff15517ea668380eab2a0a
SHA512 6148ddc6f69deb17d4b84ef14a3a6e43b75304f2b1bb0498fba8a4ae666d753eda602e10d6017c044e0652cb32acaa4715339666d1f39bf04a80b6ae9b70d46a

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 2be7829ce2c94d82a3840936c985e81a
SHA1 8792abd3d1c89a065ea4e3b1e9131c327bc36328
SHA256 39b6cfcdc4eb80184ea56ea685fce4328cc402c09f7acc0b244f5e9ca9952696
SHA512 783280b3fa62e4fc6ce362cb4ab7190cd4b568dc2306ed7560c07f894ed71d221e36608b20d7f5f8a682e8dfdfd7e5cc7defe8b3093d88ef9ff8829f4860d0a7

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 fc947be1e2936ab19132b0a2e9273cf1
SHA1 50d59332ec8878661eba457a90e93bff6342c035
SHA256 128a5605da18aca664deed7059d24e06bed6d7e28e30c8a3e35af7d2322dddcf
SHA512 80d80e8c63709f7bddc9f1297e41eb6ab8e0647709893a8e434d5657dc6879e5075a5082d345c46c3b111ce70492adb00833d60e8e3bb4915eb26da0189c8248

C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe

MD5 39aa2a315408cfbbbe49883a518ba2f0
SHA1 478935da3ccebd9ce1e8197aeb914b4d267f2af6
SHA256 db7b9aaf29da71def8db2f1fa7beddb8c478e435053de710c53a7f4904d95061
SHA512 65ea338501bb7926bfd558a26ab8bea772b10cc74a89b3d63b6184494b2437da3a6d3ae4da54188cd518e75177ab0f960acb60ff68847db6c4f1cd316178a3cc

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 571a840491869137a87a7ac0a7e0524e
SHA1 f63881a331fa2b33d610356e0f10b083fa02e177
SHA256 7b2b2afd3320b8eded5127853160ace90e0dddb061bafaaa1c678cfc63c983c8
SHA512 89ee0748639fe894b8cae81170e8eee73bb78e049e5e03dc16abf018cd5fecc18467dd2c8bbb9427fce2f2e2c5964e91fef40128c51dbeb63dace2620b1e8532

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 54c131cde7d4fa79a7e68cd7328475ed
SHA1 2fa0f6c0bc12baa1736140b3af5ae88a0b176c6d
SHA256 8322a11134a05b75331f6eb8532399e13ec302a280a7005e2db8aa3084b73ddb
SHA512 39067f6bf01e49662ff9ed91273eaec8c0ccd6c0ecfa80a320fbf31d5d11a5da1d57a85d2171e435a9d1dae87abe980e15fef8a257d1de6f1e756d560d5ca3e4

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 4f9d323b4010c4756e7c23e00c016f04
SHA1 0720ab2eae766221e9073070b3512210dff14775
SHA256 cafa915ce9cf8a5857941066caf7799d877d9a5d55fde72dce059c7dc74537fe
SHA512 216a9d08c418f1c115199e0d4c0ba0e62ca05f4f15e6d0ac6cfb89b9c9c32bc286333031492fa00423e141311d4cbc1d9ff861e4d0865554b994cc7edd83db7d

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 09b2481338c7830b1a200a328ec05692
SHA1 5c73508ce2ce02d4f376336f9268af6f8150d81b
SHA256 d702d677e797510d04bae289540c2e3cbd5e412d776f0548f1bb6a02a8dfdc6e
SHA512 741b8be92095a67b2349420bb391a323e1f77d4d105b42fc8c609e3ac15e572fbdaeee088510724700be42569c892710c86266984cd4ba7307eb5bb4e0e13e7b

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 607471b7dd28d862af3d0c2311311ad2
SHA1 c4ddaa39f442badf1ce87802ec9b0616b2e3bad1
SHA256 f55b90c22d34539af3950f251938dc7e531a1cbc1ccbf52944c4eea7cce97386
SHA512 2e65dd35a29a81dc582b8753bf0d7f730b493d19ae1efb8e6480b81fdfdf8f40d6598a87241787f69816e2993cbec9dba34af8765804002a2c229d8c53779ca5

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 794ac33482582da0a5c73c23105f0353
SHA1 63a20d342a71ac3bcb40b690b0d80cef2c2274a4
SHA256 e624e3731efaf44dc46066a36041f86cfedad076114b48f77ca3002c3ff283bf
SHA512 94428282c30b131d9e5e83b1f2ab570b894484f4c237695f2b6985fc0f8c57d7abc15bae9d598d714b7861ec00c108cd67c72e45b74c3fdc69b74b6c6a04b63b

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 ada9331f25ee68f15b29de14bf381da3
SHA1 a75bfddf8127cd4bcc6006ad5a6476f68014029a
SHA256 0944552cd52987e24e06e1ab812014cf2f7061b7e8470346500b707ea6a44a8f
SHA512 62ad31209a71bd22998cea0c17fce59bea92ffa742169d1d59aa8c0508dc1694dcc97c000799d9a11a1fa89b107b69fd65889de66c05f67e07ee4948398bde90

memory/4320-66-0x0000000072FC0000-0x0000000073770000-memory.dmp

memory/4320-65-0x00000000004A0000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 8e22d1cd637cfa265080e9e934215bcb
SHA1 8536343e75dab2e6addac7cfb821d32bd92bd93b
SHA256 d16cbd6dc52794496e6a6b4dbec85f42a62591c2e07c3f9cc6baa215771a427c
SHA512 3fae3e7ea464fe4d1e6a709aaffbc13b196b4501e7d1ac1ce69e59933b4d7358ef01f27064111862e2deb315d257cb9c8d1de5d5bbb67ea3c3e42e36c17cdc25

memory/4320-67-0x0000000005360000-0x0000000005978000-memory.dmp

memory/4320-68-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/4320-69-0x0000000004D80000-0x0000000004DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 6081a041416699f0606424a86a827abd
SHA1 5a766d99e0ea0b789cdd3ad49059ce512a8fc02d
SHA256 0935ba31283d4125f392768c9210789188e51b2c634789526341d25b26647b84
SHA512 e2926da67fb45a580b8509567480203acf01bf1c5dfebd783dc30b064a864ac3d39ac1052d6ecf3eab975c53872586ce0e7ae5de69e4c3350430fce14592fd1d

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 272520df89b16371b2de80ae861ce4d4
SHA1 af41a73613ec1c68f276bcb40ff88315feedc899
SHA256 6f940e74a901825053ec6176d86d9bfa61a0fee626f16e49839786078000bb10
SHA512 ed8ea939ca81c8d697d5ce1accc2ca6789a521284c94f352d2e952df8ea7c25b55e6b21ee26db9ddbafde91a711635d6561b9f9aaebb3bca6f7d5a7b071fcf25

memory/4320-71-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/4320-70-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

memory/4320-72-0x0000000005030000-0x000000000513A000-memory.dmp

memory/4320-73-0x0000000072FC0000-0x0000000073770000-memory.dmp

memory/4320-74-0x0000000004E60000-0x0000000004E70000-memory.dmp