Analysis Overview
SHA256
cbbcedfc8f8909db6245162860ea9514ab1b011269617ddb3538b2dc2e20cb79
Threat Level: Known bad
The file 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 13:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-02 13:14
Reported
2024-04-02 13:14
Platform
win7-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-02 13:14
Reported
2024-04-02 13:14
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 20.211.142.183:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 13:14
Reported
2024-04-02 13:17
Platform
win7-20240221-en
Max time kernel
119s
Max time network
152s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2456 created 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | C:\Windows\Explorer.EXE |
| PID 2456 created 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 3484
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 3484\Soldiers.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Triangle + Ave + Tray 3484\o
C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif
3484\Soldiers.pif 3484\o
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit
C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | WsMSIOffeNnJ.WsMSIOffeNnJ | udp |
| US | 8.8.8.8:53 | fttuvgt.ddnsfree.com | udp |
| PL | 195.3.223.146:6668 | fttuvgt.ddnsfree.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Newsletters
| MD5 | 1c4cabf20ffeef1a7d9e71d77d5c62fa |
| SHA1 | b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656 |
| SHA256 | 8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0 |
| SHA512 | 39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b |
C:\Users\Admin\AppData\Local\Temp\Reaching
| MD5 | c3a422b148a736804f525f481f289d2d |
| SHA1 | 2cead45c5bdcc21213701bc92f45d2ab3e9e7258 |
| SHA256 | 520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254 |
| SHA512 | ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50 |
C:\Users\Admin\AppData\Local\Temp\Finest
| MD5 | 190d5cc5f06756ecfd8284f7ca962cba |
| SHA1 | 0192bc94f63a4d999848d18b5b3400f53bc266ea |
| SHA256 | c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2 |
| SHA512 | e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad |
C:\Users\Admin\AppData\Local\Temp\Environmental
| MD5 | 4a094b9a89ae4c55768e8e012ee4d023 |
| SHA1 | 9d625903d40e8563a91171db01549302acb26091 |
| SHA256 | 8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185 |
| SHA512 | c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc |
C:\Users\Admin\AppData\Local\Temp\Tons
| MD5 | 639ac7a58107cc48b3d0f9ea512c4fae |
| SHA1 | a34aede82b0042f6e87902fbdd8e4a3ead6746f8 |
| SHA256 | 72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef |
| SHA512 | 794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c |
C:\Users\Admin\AppData\Local\Temp\Symbols
| MD5 | ced8fcd39719d599d0f4d9561e6fe507 |
| SHA1 | 59eb5f73d676efae575623e546978d42decf6260 |
| SHA256 | 1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e |
| SHA512 | a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0 |
C:\Users\Admin\AppData\Local\Temp\Rice
| MD5 | 0b0c7642bf84588d7fb643e251001b81 |
| SHA1 | 4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd |
| SHA256 | 047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec |
| SHA512 | 09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae |
C:\Users\Admin\AppData\Local\Temp\Triangle
| MD5 | 530605e3eccc1595d537b0baeabf2b36 |
| SHA1 | 6a52cb76c3b5a615895f85e565cb219d5da56416 |
| SHA256 | 86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1 |
| SHA512 | e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614 |
C:\Users\Admin\AppData\Local\Temp\Ave
| MD5 | 2af9a11316c5ec31d8429dd37e50b06b |
| SHA1 | cee13a90c0ba136825716f2dd1d517ec55bc3777 |
| SHA256 | a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0 |
| SHA512 | 2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831 |
C:\Users\Admin\AppData\Local\Temp\Tray
| MD5 | 83838b9779309c6deff2ecd321607cea |
| SHA1 | 09e321410d80ea507e8426de23967db9d9478e72 |
| SHA256 | 6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c |
| SHA512 | 5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58 |
\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\3484\o
| MD5 | fc2e0f6ae9c49f4c1f73e1a455bda758 |
| SHA1 | 00297b73b0b5152c46e8a5517c10660fa37b1724 |
| SHA256 | d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2 |
| SHA512 | c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0 |
memory/2456-26-0x0000000076ED0000-0x0000000076FA6000-memory.dmp
memory/2456-33-0x0000000000320000-0x0000000000321000-memory.dmp
\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2092-37-0x0000000000090000-0x00000000000A6000-memory.dmp
memory/2092-40-0x0000000000090000-0x00000000000A6000-memory.dmp
memory/2092-42-0x0000000000090000-0x00000000000A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 13:14
Reported
2024-04-02 13:17
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2468 created 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | C:\Windows\Explorer.EXE |
| PID 2468 created 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 3438
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 3438\Soldiers.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Triangle + Ave + Tray 3438\o
C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif
3438\Soldiers.pif 3438\o
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit
C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | WsMSIOffeNnJ.WsMSIOffeNnJ | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fttuvgt.ddnsfree.com | udp |
| PL | 195.3.223.146:6667 | fttuvgt.ddnsfree.com | tcp |
| US | 8.8.8.8:53 | 146.223.3.195.in-addr.arpa | udp |
| PL | 195.3.223.146:6667 | fttuvgt.ddnsfree.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.197.77.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Newsletters
| MD5 | 1c4cabf20ffeef1a7d9e71d77d5c62fa |
| SHA1 | b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656 |
| SHA256 | 8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0 |
| SHA512 | 39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b |
C:\Users\Admin\AppData\Local\Temp\Tons
| MD5 | 639ac7a58107cc48b3d0f9ea512c4fae |
| SHA1 | a34aede82b0042f6e87902fbdd8e4a3ead6746f8 |
| SHA256 | 72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef |
| SHA512 | 794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c |
C:\Users\Admin\AppData\Local\Temp\Environmental
| MD5 | 4a094b9a89ae4c55768e8e012ee4d023 |
| SHA1 | 9d625903d40e8563a91171db01549302acb26091 |
| SHA256 | 8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185 |
| SHA512 | c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc |
C:\Users\Admin\AppData\Local\Temp\Finest
| MD5 | 190d5cc5f06756ecfd8284f7ca962cba |
| SHA1 | 0192bc94f63a4d999848d18b5b3400f53bc266ea |
| SHA256 | c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2 |
| SHA512 | e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad |
C:\Users\Admin\AppData\Local\Temp\Reaching
| MD5 | c3a422b148a736804f525f481f289d2d |
| SHA1 | 2cead45c5bdcc21213701bc92f45d2ab3e9e7258 |
| SHA256 | 520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254 |
| SHA512 | ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50 |
C:\Users\Admin\AppData\Local\Temp\Symbols
| MD5 | ced8fcd39719d599d0f4d9561e6fe507 |
| SHA1 | 59eb5f73d676efae575623e546978d42decf6260 |
| SHA256 | 1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e |
| SHA512 | a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0 |
C:\Users\Admin\AppData\Local\Temp\Rice
| MD5 | 0b0c7642bf84588d7fb643e251001b81 |
| SHA1 | 4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd |
| SHA256 | 047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec |
| SHA512 | 09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae |
C:\Users\Admin\AppData\Local\Temp\Triangle
| MD5 | 530605e3eccc1595d537b0baeabf2b36 |
| SHA1 | 6a52cb76c3b5a615895f85e565cb219d5da56416 |
| SHA256 | 86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1 |
| SHA512 | e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614 |
C:\Users\Admin\AppData\Local\Temp\Ave
| MD5 | 2af9a11316c5ec31d8429dd37e50b06b |
| SHA1 | cee13a90c0ba136825716f2dd1d517ec55bc3777 |
| SHA256 | a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0 |
| SHA512 | 2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831 |
C:\Users\Admin\AppData\Local\Temp\Tray
| MD5 | 83838b9779309c6deff2ecd321607cea |
| SHA1 | 09e321410d80ea507e8426de23967db9d9478e72 |
| SHA256 | 6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c |
| SHA512 | 5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58 |
C:\Users\Admin\AppData\Local\Temp\3438\Soldiers.pif
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\3438\o
| MD5 | fc2e0f6ae9c49f4c1f73e1a455bda758 |
| SHA1 | 00297b73b0b5152c46e8a5517c10660fa37b1724 |
| SHA256 | d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2 |
| SHA512 | c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0 |
memory/2468-25-0x0000000076EC1000-0x0000000076FE1000-memory.dmp
memory/2468-33-0x0000000002350000-0x0000000002351000-memory.dmp
memory/1312-35-0x0000000000700000-0x0000000000716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3438\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/1312-38-0x0000000073950000-0x0000000074100000-memory.dmp
memory/1312-39-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/1312-40-0x0000000005500000-0x0000000005AA4000-memory.dmp
memory/1312-41-0x0000000005130000-0x00000000051C2000-memory.dmp
memory/1312-42-0x0000000005100000-0x000000000510A000-memory.dmp
memory/1312-45-0x0000000006190000-0x000000000622C000-memory.dmp
memory/1312-46-0x0000000006230000-0x0000000006296000-memory.dmp
memory/1312-47-0x0000000073950000-0x0000000074100000-memory.dmp
memory/1312-48-0x0000000004D40000-0x0000000004D50000-memory.dmp