Analysis Overview
SHA256
3bd79a5e14e5c1d9d33230d737e40c877c1bcf5eaa750fbf15eb9791b88a544c
Threat Level: Known bad
The file 5956d4f7e7ee67784eb1144040e52b5d was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-13 20:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-13 20:26
Reported
2024-01-13 20:29
Platform
win7-20231215-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe
"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p___________7524pwd5130pwd785___________ -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
"@kosmostarsz.exe"
C:\Windows\system32\attrib.exe
attrib +H "@kosmostarsz.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 77.220.214.232:13459 | tcp | |
| NL | 77.220.214.232:13459 | tcp | |
| NL | 77.220.214.232:13459 | tcp | |
| NL | 77.220.214.232:13459 | tcp | |
| NL | 77.220.214.232:13459 | tcp | |
| NL | 77.220.214.232:13459 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | 1d7b05e211d49a88d01c05889b868722 |
| SHA1 | 75a005a63c322ffc539a8580eb7dc88fe8f06a76 |
| SHA256 | 34be809068ccfee8ec7c49787034ad5b16bbbe98074e797cbf4bc07d71484487 |
| SHA512 | b1de87bc31eedb8ae7dc08ba43b8db4334610e7af84f31ea4d61aec9946f4f3b35f0d312582d490c636c0ebb5b4747e8535e87fa00ed67949558075009efc2a0 |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | dab78c860a4e898033cffa46bab77d0b |
| SHA1 | 60daffcc924b6fe66a1634efa8bcedd03aa9c5e3 |
| SHA256 | fd626d3c4f0668b5590fa0f68474cea51c50ed364ac442923801ff24d2e3beb9 |
| SHA512 | d84d8c3d9191174a181b79d83bc8e609f33647b5a75fd43a8997e8c9c4dd5eec2ca0da0fc9de856953ae88c480ad7af932f23ae5d278db8b78416aafc27ff8b6 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 639b42fe74d1b9b9989be4887d370785 |
| SHA1 | 41d006f208d917a85091da85c27887585d0cc3bb |
| SHA256 | c85fb09843feb4bd942432d89c06a8069efd47fd230f3986cd59d4f37236b6e6 |
| SHA512 | c7a50fce1dbea123eb51e25866c7718a52d8fe7a4e7416eb7a0ebc132ada0a26ae0ff7ed92665af1b5d4e9e1c94d9802f1d680122ff560594233814b516ef596 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | ffc1cfead036a41f424c4425db0d4131 |
| SHA1 | 8f6daf42f933f6a485f94b4c4ea3a7a2e962a787 |
| SHA256 | a660560703b906c5087d9a95d85d70c58f8c936133f6d60c398ea33c326a8e8f |
| SHA512 | f6255f1e89e3eca5db954cda9f19952c3b1366bff627c11fbf75c771095cc16e0eef16a4378c35798e79802d9083fd15f51e72b9b00d59be86e3d7b216469618 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 100b6ffe902fca3bab65c4e6b336507d |
| SHA1 | 078faef7667455ec9e67dd82a837eb6f9b12e046 |
| SHA256 | 61c889b29257fba4555011ea0503ea729f21834f967dca748ab2f657160b69e3 |
| SHA512 | a5925911412b1201623103b0b15d6b3ac9db1893427e161db5382f815cae5104aa2391c82ee6a30010295d9ca421a300140bfde3adf54735298ab52aab19caba |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | f19b29a2c96a75b1ca888342b63a40bd |
| SHA1 | 8b60db9ee487c901811c2caca19dc9b2fcff30cf |
| SHA256 | 20b1089fbdebc2cc0c313396390445ab2f7eb36b83dc141cfecaf120a97e4832 |
| SHA512 | d5d9bee73f22042e12b0e3ded9120d771c9a71c236a8f4e82ffca52a57b539ce5e113b3374c71de3cf149c41d0500c1142276288c21487d9e23c5d9e2f0d7b34 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip
| MD5 | 57549ef135b2a0a56ab61585e99a295c |
| SHA1 | 2c1c72a42803f8e9dc45877dfd34e4b8ee2f714a |
| SHA256 | 1fd677ecd856fed73c5f3e8ef73223377f07929afce84c11fe9aef0113819d15 |
| SHA512 | 528038d0dd5cda1153fd27437bef87bc9d1b319afcc7d9e49b2a9e5342bcd4562ea3ce70d1e080befd49352b1271939919f755502ce4344425b578c12e6054bd |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | df3fd879e7af9873cfdfedac9f92f937 |
| SHA1 | 2ecf247a1bb715aaa1b1fcdaa347c01c112a8510 |
| SHA256 | bd4c7f64e622af8f101919a872fa19103fcbfad51496b7cbb586d786476bb353 |
| SHA512 | 08cbbf0fe2e00fc14e528f732ada2acfdcea3908031e559a70a8f681248f1d277faf4ff06e9c7ab818e71a852c41ad7fd9f62b22af15e9703e051c581c38e239 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | e859ec806349adcef0480e2587a020f2 |
| SHA1 | 9b8fbd42f4c75670f2dbde3a66112bd37822942f |
| SHA256 | 5167f8103d7d6dd59470a7f76e38e4081948a312eed503428340e80eb449b92b |
| SHA512 | 507e6bce9c0ec6dbd5ef626a5d677d0ba45f04b56a34e28de7763529e53bd466cad812da4bdd944c8d4aadb9b4abcacbfe05adc8faefca6aca1c5d0132d88d70 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 257a35faea770344444e3804cc3081f2 |
| SHA1 | 5ac700daa72484aad19fcdb40a6cdb5d402f94ab |
| SHA256 | 26e4419a350e9a420f10a37b059063ca76b96f8a88eeadb0ce82ef8503671c10 |
| SHA512 | 7564b8c8a55ba696a949ba7d7acc5c4a53068e2ef01419d01f4d326d96bb69b8f193addba1fd534225c4c9b4f752176f72bc11b4154bea3a7d7daae751627821 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | a2eccc168c34ee2fc6ce60874998b595 |
| SHA1 | 693d6b62053216ac7c93618bdb501f87d66bd861 |
| SHA256 | abb205e3e1836637de6408b48b8230e205b8f7844def4d45a45bba54f6c12c63 |
| SHA512 | 4cf5a29e7ab92c76df43ef7683c1aca92621af1f8571c1d7332fcae41c23e4941ef28cb278999ed5f1b120a9994364db4e52bb324a4dac347fdd4c2a1444789f |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 0314869289a38fa4b16bdd3ec253f92c |
| SHA1 | 4e513720f5ed58b32b962d33295a81305c42a851 |
| SHA256 | 2988c1621b284a40a1c039946018f14374578c9624cf603c97b63b578428e91c |
| SHA512 | 0a9e7febeb2fa16f927b5075b001fbbb4100d3edaa13dbd08bffa8ad20c0b5bb2d37504b3517990150bb8d13cc7ff95776e93556f522ea2d0745f54ec2da401f |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip
| MD5 | 11ca0d3ad67ab953a087c784e55359c7 |
| SHA1 | ed0afd402a62f50a8c45f851acf44c40843a2cc0 |
| SHA256 | bc3e6da2f38eae41d5e72d2adc22af21d087d13ed53866ab63c5a2dc5fae6b09 |
| SHA512 | 64a8feda34c6f7151b94532f374d7740d0d4a605df1807248b7aefc5e6e963d2b6c7484bba4e737d13b0c9c76bbb3e17137633a30a1c1ae5628247965075c3ed |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | a38db839b3c07fced8999e27d0cf1f8f |
| SHA1 | e102a4ed6d808d83583f4a8cdde3b66995166c49 |
| SHA256 | 26c74029c7d211eef4934736f30440b9c19c4cf00d34c985c3638e3b4e8177e9 |
| SHA512 | cead54ddf5524ffad5eafff65fe264a0993a91d535e2220ef32218dd1562455daba2b5126b95335b229b7f51d23128582a516fe6a7871ef799ca2387162b2541 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip
| MD5 | b160972741741f13ff1a675cf5f90189 |
| SHA1 | d04a6d2bc33e95d9c7ac1996f3d755e0b018fb7d |
| SHA256 | fcb40b104e234ac18357146d87b2a5089e5a9cf0194c1e8405cca0338fbb2b98 |
| SHA512 | 739eba6788194368f0abb5050800bcceea82f5c17162de6394743eab4d286b96226a874d37f54e0d486812ee29ccc95909df9238746c8c025af0c46efd14926b |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 9569cf4c3298c4adb84fc33a932282c6 |
| SHA1 | c57dfc5aa30ba4a2f2b0064ccda4cd52d5dd8194 |
| SHA256 | 7fd7537b1cc83446e837b6f8c61dfecff6ce623828bb712dabd175c459beea4a |
| SHA512 | 67b8d2ef187a0be623f37a867c0c9565ff1fa8671690bda5fdefb27710291f65702904cc97b979d7bfa3334226781f2ac70176cf53f192b25b4c706b5d223ef0 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 23dcdba96e5dfefe9b8150fdd7ffb853 |
| SHA1 | 845f3b12e40ca218a0f4bff9d02a76f9dc74adea |
| SHA256 | 45c0eea60d8ec57da2a920b45276c8100ff8bbe7a22240398935a7252ef1075e |
| SHA512 | 655583f558e6df94570c704a1cbb41f94f0ac9c8066b5f42b9e4dd44516570c8515fbad94a62386ff7850e55565e6fdcf64c7776dd0697985a770a73ef28ccb4 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | dcd4164e190536fac877e3bb16c73ebe |
| SHA1 | 71e5f928a743071a85d32f8ff11950fea28b7a4e |
| SHA256 | 29e5db116c95a5e281aebf6a88177c0cf712ccf0162230450c44c5ec17d60836 |
| SHA512 | 9914b69a8d01f694a204c5832c893050f40ea315391a10bcf15cf2bd8a1da08f36fea3edb077060d79ec363d94198efbeb8f6f3b7b603867d1ebca17c3c0de51 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 3877dc074925354b86d83610312bb695 |
| SHA1 | be2d994e60a54492fb73b21fdf7734d8a004b6ab |
| SHA256 | 22c63ad845f65278fd099817c4a50f69224f68d100916f4e898dfbd48a74324e |
| SHA512 | b4c0a32244b2eed759354f01fd665fdea585f44625e3f59bc3167eb5f5cee95c168cd1bbc185ff105c7a76747246114234ed3dc9dad0a258c545f8fa24cadd16 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | 4bdf4e0eccfb4b953a4a882a12cc8128 |
| SHA1 | 3402aaa7c349e8211cb5a14cc9e84e4496b2d61e |
| SHA256 | c3cd186249147de119c1944b4cc9416ca94af95ce4505353ab50dac54fb8197d |
| SHA512 | 6ba178fa8cc97a7181c0cb667dda34a2d848237fc30f9f5932dfe12d3c61fa238c5602416ea285bcecaa2684c1c9804fe8d1f364521c3c76216b7afa99379718 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 189002b15cf2c89daaa3146f8086518c |
| SHA1 | e2f692f11aea5926ca45ccd346be5c377c9d2d44 |
| SHA256 | 778f6e656d04a21d81ce716d93170110e646a63f53183b6d79d25417aa114fe6 |
| SHA512 | b8467aba9c02a19170999619162791cf8fae897077edb3510979f161c0337deab714ede6c20b11d323b2a6442ced9078213b3654c2f4ca43b0e2f6066d4264c3 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 4f9d323b4010c4756e7c23e00c016f04 |
| SHA1 | 0720ab2eae766221e9073070b3512210dff14775 |
| SHA256 | cafa915ce9cf8a5857941066caf7799d877d9a5d55fde72dce059c7dc74537fe |
| SHA512 | 216a9d08c418f1c115199e0d4c0ba0e62ca05f4f15e6d0ac6cfb89b9c9c32bc286333031492fa00423e141311d4cbc1d9ff861e4d0865554b994cc7edd83db7d |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 96f14197a7d4156e9b99864cdf2211c6 |
| SHA1 | 1effe1949879bca83aa960a00aa0f3bcebfea7be |
| SHA256 | 17f98dae05b5542a93ed3c861ddbbf47d41984f4191be3db3743eb001e02a64c |
| SHA512 | 52c1da4b2ad74a5f83660512d3022869906794ea95ba37b18851598a4f5bd69a62e1a287d240895219e2405495190171d0d7d4ba4ffc097f90aebccd89eac611 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 892cb5b2e95b4d80e48af7c25e7670ce |
| SHA1 | d4d522554f7a2ea1b0373ad26ab0ede9f5660ac8 |
| SHA256 | c2fd055b92e3b3741d46c5737cace1d84b5158ced305e9f5cd3ad9b6c9bb5a1d |
| SHA512 | b5a4e3585efd06ca83fa46cf00237e6b2c92e6956826162cf2db1d045c1b1983a860d91dcbb927aa5dbb51c59715b2befb3468b4b4bdfb55cb80d006795cc3e9 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | fc947be1e2936ab19132b0a2e9273cf1 |
| SHA1 | 50d59332ec8878661eba457a90e93bff6342c035 |
| SHA256 | 128a5605da18aca664deed7059d24e06bed6d7e28e30c8a3e35af7d2322dddcf |
| SHA512 | 80d80e8c63709f7bddc9f1297e41eb6ab8e0647709893a8e434d5657dc6879e5075a5082d345c46c3b111ce70492adb00833d60e8e3bb4915eb26da0189c8248 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | fc966582808e62ad9b68a7628e461015 |
| SHA1 | e2c7693536eaae63c821910979f541e004fbeda2 |
| SHA256 | 0baa6a399f4d5830a0cb3c4e7ac56b7936d9732514cd29a483dffdb76b5db935 |
| SHA512 | 29eedfee4a24dc0035a2e425b93dd02926ee07d23936f4b3071b8ccabc93bc9989782a3429b20734440f656be6e37d078d5246ad3fee0bc429b231b22e6ab5e6 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 6cca6db337dc2a6e137cb5694e1ddf37 |
| SHA1 | 173d7d8f41a4828c271ddeba7d41564ef0b1859f |
| SHA256 | e435711c2c0f0920022eced854a79e84c678d387fe60c6280def899588d8b156 |
| SHA512 | e7970350c475a6a65cf30e679055b5d1c8533717e7b1d8cff375012c6596440929c3f87c88edaa48d2ebf614263d7afeb0137037ecf30c4d5a1764e7f19c1cae |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | 35986967c70d3d917dcc7b48a3333f70 |
| SHA1 | 17b5eb8f675308ab196c507ac31515604b811d1a |
| SHA256 | a01fdedfdbcd10210b3f32cffbcb6e8592ca1a0fb1ff15517ea668380eab2a0a |
| SHA512 | 6148ddc6f69deb17d4b84ef14a3a6e43b75304f2b1bb0498fba8a4ae666d753eda602e10d6017c044e0652cb32acaa4715339666d1f39bf04a80b6ae9b70d46a |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | a4614dce9bc261316b22b702b8fbed71 |
| SHA1 | 74face98c023c93740cfcbaef480be353b46baf4 |
| SHA256 | d219f4e62276fbf6b43229b37e8a68e26bc1f782967ac4fd46f01b47553d401f |
| SHA512 | 30920357c94519b6140a3e598e1d17f73e76846fb4e70fdb14c2b36023c2332dfcc0bc09939b689bf40882ea9c30649a856a24b1b9c43ba6d1392f5d0cf9201c |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | e45e4bf963b7bb8bddc7f14af3495a58 |
| SHA1 | 0c49074585c3085b5ba3f42f6439848d0cfb13ed |
| SHA256 | 0c4fb7ae68ed66d78de63ee39fe4c8c2c3e2f3298ef8b48f74aed5419264c4b2 |
| SHA512 | 0061da7dc3130b92ca6a0c8963aa18a2ae2b9fec984c0d3b38c7f0b5e88700e654f35b37eb761dfcda2f7624301d87678ccb32fabcc722f5ab4a9dae65bd2248 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 02068a80d865e25d6b60acd998b86174 |
| SHA1 | 874e677405022c00587a012fb3c5fd88c139b45c |
| SHA256 | af50ff6b99cdf11e67974f60fd63d28605d2c1aad468427c6dae6bce71f9222c |
| SHA512 | db6a05b559bd9172f4af8c1e4c760946b80a09440a3751ab95a7a5a901cb58d9314b6d23a7a4794b66e18aaa7c4441298ae4b7817894a0f92ea5eb7d8ba73111 |
C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
| MD5 | 517ca6dd37372fe69c530d732275148b |
| SHA1 | 44f921635977d110ee44f76246bedfcf94da5e37 |
| SHA256 | ec1957656723a8674237848c6ad4551d35b4cb00465dc337dfe1ce2a8abfaf81 |
| SHA512 | c49a699264269f9dfce6d33e7ef98769c24d55da25cf98198a2e86d1f2b93e2130589eb7b44140bed4faf414cfe72e7fa46d68d2ef582b221a77c4eb44ffed09 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | 0cb6104aebddb1aef009b9c8ed6ded94 |
| SHA1 | 2a8ef9c593d27ca19ebb53daffc0cc8295ca23bf |
| SHA256 | b8427869a2a80e6ee0264e02e2aa60d360d998958bea998ea0313d2b0697b13a |
| SHA512 | 9808f048595764735c1274d92da85e16ecf820aba2bbd34a997222f88bd124450e9322eeb2ca2e5f5745dfe0f04b9800a857e8acaaa1c41c7dc25642932df13e |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@kosmostarsz.exe
| MD5 | 6a787a34b097237f3739f08be4b3e39e |
| SHA1 | d979dd7c02d80677c30315d8c58ac0cdf29960ad |
| SHA256 | 3c0d90ae7ea976edcf777dcfe4e89b9b44b3c6a9ae3a07c06149632f75f5bc42 |
| SHA512 | 01fa4e74cb48e085a20bab002a8bdeea42007ad415b7b6682efd28649ec3f5dc62c893f4da036a5838ef6a37c77900fe0a26052d5bc47be606cf495e262d5b15 |
memory/2120-78-0x0000000001050000-0x000000000106E000-memory.dmp
memory/2120-79-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/2120-80-0x0000000004C20000-0x0000000004C60000-memory.dmp
memory/2120-81-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/2120-82-0x0000000004C20000-0x0000000004C60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-13 20:26
Reported
2024-01-13 20:29
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe
"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p___________7524pwd5130pwd785___________ -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "@kosmostarsz.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
"@kosmostarsz.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_6.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| NL | 77.220.214.232:13459 | tcp | |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| NL | 77.220.214.232:13459 | tcp | |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| NL | 77.220.214.232:13459 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| NL | 77.220.214.232:13459 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 77.220.214.232:13459 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 77.220.214.232:13459 | tcp | |
| GB | 96.17.178.180:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| GB | 96.17.178.180:80 | tcp | |
| GB | 96.17.178.180:80 | tcp | |
| GB | 96.17.178.180:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | 1d7b05e211d49a88d01c05889b868722 |
| SHA1 | 75a005a63c322ffc539a8580eb7dc88fe8f06a76 |
| SHA256 | 34be809068ccfee8ec7c49787034ad5b16bbbe98074e797cbf4bc07d71484487 |
| SHA512 | b1de87bc31eedb8ae7dc08ba43b8db4334610e7af84f31ea4d61aec9946f4f3b35f0d312582d490c636c0ebb5b4747e8535e87fa00ed67949558075009efc2a0 |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | 0aa81c8e040ba6aaf6c0b0ed4b41dd39 |
| SHA1 | 1834993aae92cfc643d45791a036d7b11235ea8f |
| SHA256 | e98211a17028c5a1d7fd96b2bf2b30843335fa87d7d2baed52c583061a2ecf31 |
| SHA512 | 1ebcc4dae791623905330eca7d0bb847d1dbf7f22d298d84919453930ca89aa35c4331a8c88429dc86403da8ef627f8c9240e88b7b43c33eb195ea82c4ec6103 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 17449cf312563702700ca13925f546df |
| SHA1 | 735e0d249c9f3cddfb84288e25d0027567eab5d3 |
| SHA256 | 428707fe99de202cb8e9343f1e9b40e3feb8d0217cd33d5b9269eac2ff5fcfb1 |
| SHA512 | 6b5d866bc6b25dfb1a19caba91c6436dfbc2344b7deb61ceb0a058281fc15f90da4a1a8c70405a4d6fb9b0d8e96fd9e352b81b4990609a30e5cb9a728b5a7c65 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | aabf2342fbbd5cfd999aae351ec2fe21 |
| SHA1 | bad5a3306830d911d1c65fa77fab656db366bfb9 |
| SHA256 | e06e4fe13ed36e122ff56f4b95089786bbad844bc1e945cd3c723726a978d9db |
| SHA512 | 24b17323bcf239ae75fe6f3076e5a5ef6c75ad58a5ed2b424c75c2bfd1b66b8c087a85acaf6093d69514340b058b0bd9b81c100eff7ca784fe0ce5c332594470 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | ebaaaed537bf78c4b96c5fa4799e84b5 |
| SHA1 | efa5b609c4bf09337a37a41c424c48bc69ae857d |
| SHA256 | faf1c25432b3df909ed5727f4f6ab089524b3a986eb06bd8a359f31d5b16a181 |
| SHA512 | 7d48ded85adb591e12b3dfcab9c93d325be0a641346bccc41f8871464aec2874aff9c41aba53e506c23c4d60084550dc53b56c14c1b3d6514640cc5f6c0957f5 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 60dd51a113f7c59c8cb7d975fb3ce1bb |
| SHA1 | 7c166c5ecf691d51e8fe468ef5420dd3535fff4e |
| SHA256 | 7cb9bc7e35613fbbd5cb8cae2566d3ab6d0192e9d25b1658b084f4c69965bb9a |
| SHA512 | 883dc6d532ae0e3e951685a1c55a673928b58768d44c64baabd7d4c464417987fc42a57e5b1904d06993784ff53c96e9602f0a97196bec1014319a3eaa813dfd |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_7.zip
| MD5 | 8351001ec8738c0b2bf81f8b5ac3c5b2 |
| SHA1 | d999d1b6e342690a26426e81bc42b5edfaf8fabf |
| SHA256 | d9cd94025fb45aa96c01dde44be87059814618a9e907e31306507e43e969867d |
| SHA512 | 60792f919bcfff0a5b31a1be8101ec70e9d12a8305ad7a9dc2e565bd4a0c87ee88e111fa5161e840733ef2a0c6e3e1845079c3988a558fa90dc52159da80e3df |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | e8a4c9de0f949d04ee235e540e4ac709 |
| SHA1 | 901016b16e2fb0c9cf60957b46307e2130fdee68 |
| SHA256 | fa285f77e9883ab6b852ac41511e4da5059b4f8849551c2ed5ace15b9272fa4d |
| SHA512 | 2df8e89c925e2de8516bee0bb4c2f9503b572cc812362f6358acacf5456f9f0ac6ee330f609bff7c1601716a9d216b49fd33c9d2ea5033331108d4451c83ae43 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | a020df2cca4d6b6c9310b93041ff3bcf |
| SHA1 | 690b31ea15015f6927c29b3c4eec05e3f238cea7 |
| SHA256 | a78107ee7e531829793cea070d4dd1147e55ac094c11650253ed3f29310c92e7 |
| SHA512 | 916ff477051c03fa50114d0f6cef98d34f5ab9234f8662d956b5fd1475a4bd7947e1067a55dd29263324dd5fd24dce037286cff8160feca079fe0d458741e7c7 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_6.zip
| MD5 | b160972741741f13ff1a675cf5f90189 |
| SHA1 | d04a6d2bc33e95d9c7ac1996f3d755e0b018fb7d |
| SHA256 | fcb40b104e234ac18357146d87b2a5089e5a9cf0194c1e8405cca0338fbb2b98 |
| SHA512 | 739eba6788194368f0abb5050800bcceea82f5c17162de6394743eab4d286b96226a874d37f54e0d486812ee29ccc95909df9238746c8c025af0c46efd14926b |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 06e89058c666c455057603a09d5d29c3 |
| SHA1 | 011e7f85f637472653807e6f586bcde571c33cf3 |
| SHA256 | 243668a94daaa6bb247589cef5ed29249841d01dbe7655366404264492181569 |
| SHA512 | 7a68a8ecaf6b9cddbcd500c78fb0f9b8c360f0086b43a5e5a2806197c11a1e4888a34be9dcb938ca59357da0135c15738e2906ba035d33c820dee71014e6cb9e |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip
| MD5 | 11ca0d3ad67ab953a087c784e55359c7 |
| SHA1 | ed0afd402a62f50a8c45f851acf44c40843a2cc0 |
| SHA256 | bc3e6da2f38eae41d5e72d2adc22af21d087d13ed53866ab63c5a2dc5fae6b09 |
| SHA512 | 64a8feda34c6f7151b94532f374d7740d0d4a605df1807248b7aefc5e6e963d2b6c7484bba4e737d13b0c9c76bbb3e17137633a30a1c1ae5628247965075c3ed |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | 4bdf4e0eccfb4b953a4a882a12cc8128 |
| SHA1 | 3402aaa7c349e8211cb5a14cc9e84e4496b2d61e |
| SHA256 | c3cd186249147de119c1944b4cc9416ca94af95ce4505353ab50dac54fb8197d |
| SHA512 | 6ba178fa8cc97a7181c0cb667dda34a2d848237fc30f9f5932dfe12d3c61fa238c5602416ea285bcecaa2684c1c9804fe8d1f364521c3c76216b7afa99379718 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | cd18885674529ab83a18279a060c3f37 |
| SHA1 | bfdcf9220f26ba003fc2d5c0ce6b13ed5df3608e |
| SHA256 | bc5d3ca9dd4e302696e34c4ff74382f86fcba451ae874aac6288b24ad4ab8bb0 |
| SHA512 | b2a8c6da262c829b6ae360f6187fde3cf4a56efe72eec1ff003e379cde66010e1cd7b529ed4ce5f8df8b1eaff119178fc2974d6c3e03873e52594920537c2e76 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | ede0e34c216d4cf7edd87eb5efec2430 |
| SHA1 | 232942a370e40a83ac88ca2ebd224dd02aa9814c |
| SHA256 | 596a6ef55bc229719082a7170b01fae3a1ca4e5f65b03a1142929d028f6c48c3 |
| SHA512 | 976e9f834f88d8683af147c5e74a50811071e0476fad79c65f9df795dbaea615d5e4ffd1379c1a46095a262630397f017722f8c366729c3a7b5824e07a17e890 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@kosmostarsz.exe
| MD5 | 6a787a34b097237f3739f08be4b3e39e |
| SHA1 | d979dd7c02d80677c30315d8c58ac0cdf29960ad |
| SHA256 | 3c0d90ae7ea976edcf777dcfe4e89b9b44b3c6a9ae3a07c06149632f75f5bc42 |
| SHA512 | 01fa4e74cb48e085a20bab002a8bdeea42007ad415b7b6682efd28649ec3f5dc62c893f4da036a5838ef6a37c77900fe0a26052d5bc47be606cf495e262d5b15 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | 35986967c70d3d917dcc7b48a3333f70 |
| SHA1 | 17b5eb8f675308ab196c507ac31515604b811d1a |
| SHA256 | a01fdedfdbcd10210b3f32cffbcb6e8592ca1a0fb1ff15517ea668380eab2a0a |
| SHA512 | 6148ddc6f69deb17d4b84ef14a3a6e43b75304f2b1bb0498fba8a4ae666d753eda602e10d6017c044e0652cb32acaa4715339666d1f39bf04a80b6ae9b70d46a |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 2be7829ce2c94d82a3840936c985e81a |
| SHA1 | 8792abd3d1c89a065ea4e3b1e9131c327bc36328 |
| SHA256 | 39b6cfcdc4eb80184ea56ea685fce4328cc402c09f7acc0b244f5e9ca9952696 |
| SHA512 | 783280b3fa62e4fc6ce362cb4ab7190cd4b568dc2306ed7560c07f894ed71d221e36608b20d7f5f8a682e8dfdfd7e5cc7defe8b3093d88ef9ff8829f4860d0a7 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | fc947be1e2936ab19132b0a2e9273cf1 |
| SHA1 | 50d59332ec8878661eba457a90e93bff6342c035 |
| SHA256 | 128a5605da18aca664deed7059d24e06bed6d7e28e30c8a3e35af7d2322dddcf |
| SHA512 | 80d80e8c63709f7bddc9f1297e41eb6ab8e0647709893a8e434d5657dc6879e5075a5082d345c46c3b111ce70492adb00833d60e8e3bb4915eb26da0189c8248 |
C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe
| MD5 | 39aa2a315408cfbbbe49883a518ba2f0 |
| SHA1 | 478935da3ccebd9ce1e8197aeb914b4d267f2af6 |
| SHA256 | db7b9aaf29da71def8db2f1fa7beddb8c478e435053de710c53a7f4904d95061 |
| SHA512 | 65ea338501bb7926bfd558a26ab8bea772b10cc74a89b3d63b6184494b2437da3a6d3ae4da54188cd518e75177ab0f960acb60ff68847db6c4f1cd316178a3cc |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 571a840491869137a87a7ac0a7e0524e |
| SHA1 | f63881a331fa2b33d610356e0f10b083fa02e177 |
| SHA256 | 7b2b2afd3320b8eded5127853160ace90e0dddb061bafaaa1c678cfc63c983c8 |
| SHA512 | 89ee0748639fe894b8cae81170e8eee73bb78e049e5e03dc16abf018cd5fecc18467dd2c8bbb9427fce2f2e2c5964e91fef40128c51dbeb63dace2620b1e8532 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 54c131cde7d4fa79a7e68cd7328475ed |
| SHA1 | 2fa0f6c0bc12baa1736140b3af5ae88a0b176c6d |
| SHA256 | 8322a11134a05b75331f6eb8532399e13ec302a280a7005e2db8aa3084b73ddb |
| SHA512 | 39067f6bf01e49662ff9ed91273eaec8c0ccd6c0ecfa80a320fbf31d5d11a5da1d57a85d2171e435a9d1dae87abe980e15fef8a257d1de6f1e756d560d5ca3e4 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 4f9d323b4010c4756e7c23e00c016f04 |
| SHA1 | 0720ab2eae766221e9073070b3512210dff14775 |
| SHA256 | cafa915ce9cf8a5857941066caf7799d877d9a5d55fde72dce059c7dc74537fe |
| SHA512 | 216a9d08c418f1c115199e0d4c0ba0e62ca05f4f15e6d0ac6cfb89b9c9c32bc286333031492fa00423e141311d4cbc1d9ff861e4d0865554b994cc7edd83db7d |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 09b2481338c7830b1a200a328ec05692 |
| SHA1 | 5c73508ce2ce02d4f376336f9268af6f8150d81b |
| SHA256 | d702d677e797510d04bae289540c2e3cbd5e412d776f0548f1bb6a02a8dfdc6e |
| SHA512 | 741b8be92095a67b2349420bb391a323e1f77d4d105b42fc8c609e3ac15e572fbdaeee088510724700be42569c892710c86266984cd4ba7307eb5bb4e0e13e7b |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 607471b7dd28d862af3d0c2311311ad2 |
| SHA1 | c4ddaa39f442badf1ce87802ec9b0616b2e3bad1 |
| SHA256 | f55b90c22d34539af3950f251938dc7e531a1cbc1ccbf52944c4eea7cce97386 |
| SHA512 | 2e65dd35a29a81dc582b8753bf0d7f730b493d19ae1efb8e6480b81fdfdf8f40d6598a87241787f69816e2993cbec9dba34af8765804002a2c229d8c53779ca5 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 794ac33482582da0a5c73c23105f0353 |
| SHA1 | 63a20d342a71ac3bcb40b690b0d80cef2c2274a4 |
| SHA256 | e624e3731efaf44dc46066a36041f86cfedad076114b48f77ca3002c3ff283bf |
| SHA512 | 94428282c30b131d9e5e83b1f2ab570b894484f4c237695f2b6985fc0f8c57d7abc15bae9d598d714b7861ec00c108cd67c72e45b74c3fdc69b74b6c6a04b63b |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | ada9331f25ee68f15b29de14bf381da3 |
| SHA1 | a75bfddf8127cd4bcc6006ad5a6476f68014029a |
| SHA256 | 0944552cd52987e24e06e1ab812014cf2f7061b7e8470346500b707ea6a44a8f |
| SHA512 | 62ad31209a71bd22998cea0c17fce59bea92ffa742169d1d59aa8c0508dc1694dcc97c000799d9a11a1fa89b107b69fd65889de66c05f67e07ee4948398bde90 |
memory/4320-66-0x0000000072FC0000-0x0000000073770000-memory.dmp
memory/4320-65-0x00000000004A0000-0x00000000004BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 8e22d1cd637cfa265080e9e934215bcb |
| SHA1 | 8536343e75dab2e6addac7cfb821d32bd92bd93b |
| SHA256 | d16cbd6dc52794496e6a6b4dbec85f42a62591c2e07c3f9cc6baa215771a427c |
| SHA512 | 3fae3e7ea464fe4d1e6a709aaffbc13b196b4501e7d1ac1ce69e59933b4d7358ef01f27064111862e2deb315d257cb9c8d1de5d5bbb67ea3c3e42e36c17cdc25 |
memory/4320-67-0x0000000005360000-0x0000000005978000-memory.dmp
memory/4320-68-0x00000000027D0000-0x00000000027E2000-memory.dmp
memory/4320-69-0x0000000004D80000-0x0000000004DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 6081a041416699f0606424a86a827abd |
| SHA1 | 5a766d99e0ea0b789cdd3ad49059ce512a8fc02d |
| SHA256 | 0935ba31283d4125f392768c9210789188e51b2c634789526341d25b26647b84 |
| SHA512 | e2926da67fb45a580b8509567480203acf01bf1c5dfebd783dc30b064a864ac3d39ac1052d6ecf3eab975c53872586ce0e7ae5de69e4c3350430fce14592fd1d |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 272520df89b16371b2de80ae861ce4d4 |
| SHA1 | af41a73613ec1c68f276bcb40ff88315feedc899 |
| SHA256 | 6f940e74a901825053ec6176d86d9bfa61a0fee626f16e49839786078000bb10 |
| SHA512 | ed8ea939ca81c8d697d5ce1accc2ca6789a521284c94f352d2e952df8ea7c25b55e6b21ee26db9ddbafde91a711635d6561b9f9aaebb3bca6f7d5a7b071fcf25 |
memory/4320-71-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/4320-70-0x0000000004DC0000-0x0000000004E0C000-memory.dmp
memory/4320-72-0x0000000005030000-0x000000000513A000-memory.dmp
memory/4320-73-0x0000000072FC0000-0x0000000073770000-memory.dmp
memory/4320-74-0x0000000004E60000-0x0000000004E70000-memory.dmp