Malware Analysis Report

2024-08-06 13:13

Sample ID 240616-wccn3szhqc
Target FlySide.exe
SHA256 48429db29ff42c7c50264ca1645560f5ca4e2a3e0f934dd59a06572c7770e7e7
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48429db29ff42c7c50264ca1645560f5ca4e2a3e0f934dd59a06572c7770e7e7

Threat Level: Known bad

The file FlySide.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:46

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:46

Reported

2024-06-16 17:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FlySide.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\system32\cmd.exe
PID 3920 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1892 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3568 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3568 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1892 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Winrar.exe
PID 1892 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Winrar.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FlySide.exe

"C:\Users\Admin\AppData\Local\Temp\FlySide.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Roaming\Winrar.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C2C.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Roaming\Winrar.exe"'

C:\Users\Admin\AppData\Roaming\Winrar.exe

"C:\Users\Admin\AppData\Roaming\Winrar.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
US 52.111.229.48:443 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp

Files

memory/3920-0-0x00007FFDE63E3000-0x00007FFDE63E5000-memory.dmp

memory/3920-1-0x00000000000A0000-0x00000000000E0000-memory.dmp

memory/3920-2-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

memory/3920-7-0x00007FFDE63E0000-0x00007FFDE6EA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C2C.tmp.bat

MD5 cf837f9324105170a5b098ee74d79a24
SHA1 fca413ccd1ea743fa88ae5394e285802516f30b6
SHA256 27b958a7b56ee8df3798e753e91a8668c0cdded01d62e215fa5fe5a0870ab838
SHA512 ddf3c71dcf87b34a3cb455e90e9a87565751f5dc53c2e949c5c3a7a8a2e0dba81b497f71c89af912e64236ee9dc0b21e218cb1500e0b9eb8ba302c5d93b6457c

C:\Users\Admin\AppData\Roaming\Winrar.exe

MD5 0f582a0b2557f50a4745751a4c128c34
SHA1 894660b4a64e8309393f08f686cade8721dc5f73
SHA256 48429db29ff42c7c50264ca1645560f5ca4e2a3e0f934dd59a06572c7770e7e7
SHA512 b1c860bbae77ac8642bf1fb7963606b64d74b7ceb7e28d262b3cb2ae8a2e843aa22bfc18cc4882df1e83e58009205805452a412eddcd87615a6b3fb5802fab34

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:46

Reported

2024-06-16 17:49

Platform

win7-20240611-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FlySide.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Winrar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\System32\cmd.exe
PID 2260 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\System32\cmd.exe
PID 2260 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\System32\cmd.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\FlySide.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2676 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2676 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2756 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Winrar.exe
PID 2756 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Winrar.exe
PID 2756 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Winrar.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FlySide.exe

"C:\Users\Admin\AppData\Local\Temp\FlySide.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Roaming\Winrar.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7926.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Winrar" /tr '"C:\Users\Admin\AppData\Roaming\Winrar.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Winrar.exe

"C:\Users\Admin\AppData\Roaming\Winrar.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp

Files

memory/2260-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

memory/2260-1-0x00000000011A0000-0x00000000011E0000-memory.dmp

memory/2260-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/2260-3-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7926.tmp.bat

MD5 cf400c8172431b8f35cb42226e7f01ca
SHA1 c30e469344465883d958bc737e868ac6b83a577c
SHA256 18f16b50ecb19a6cf9db7f21a6fe517b662547f1df2d916ed008b84daa0edd08
SHA512 23993b65a3faafdde0eb28c041de4d962c03da8e5c9265df0e161f67215dfa8f8742de921c01f3ac0f2971ccc1af8087a636d49269f6fbd0f7c7e660d778ca8e

memory/2260-12-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Winrar.exe

MD5 0f582a0b2557f50a4745751a4c128c34
SHA1 894660b4a64e8309393f08f686cade8721dc5f73
SHA256 48429db29ff42c7c50264ca1645560f5ca4e2a3e0f934dd59a06572c7770e7e7
SHA512 b1c860bbae77ac8642bf1fb7963606b64d74b7ceb7e28d262b3cb2ae8a2e843aa22bfc18cc4882df1e83e58009205805452a412eddcd87615a6b3fb5802fab34

memory/1608-17-0x0000000000F10000-0x0000000000F50000-memory.dmp