Analysis Overview
SHA256
1d6f7584e8fc83a87851e579dc867c32792bcd329b7280bb100d9e0cba730b04
Threat Level: Shows suspicious behavior
The file iltst.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
Drops file in Windows directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:58
Reported
2024-11-13 15:01
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
146s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\PickingNhs | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| File opened for modification | C:\Windows\BarriersB | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| File opened for modification | C:\Windows\PrefixRough | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe
"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Zus Zus.cmd & Zus.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 677738
C:\Windows\SysWOW64\findstr.exe
findstr /V "PhiladelphiaFacultyInsulinDifferent" Prisoner
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Merchants + ..\Mcdonald + ..\Album + ..\Candidates + ..\Extreme + ..\Dept + ..\Edmonton s
C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
Farming.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vnEnEAsZbRjillROWxtxgv.vnEnEAsZbRjillROWxtxgv | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snail-r1ced.cyou | udp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 8.8.8.8:53 | 231.199.67.172.in-addr.arpa | udp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 172.67.199.231:443 | snail-r1ced.cyou | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Zus
| MD5 | f57b4f35dea7f939528515d2877743b7 |
| SHA1 | 8c65e425e7912f1fb2b55acd189309fbb1700d4c |
| SHA256 | 4432a67e3d73c28725306dae8933cb9570073cd1c4e1a1a0b2d364d7d3878809 |
| SHA512 | be15b696b7d15c4ccba783370292796370bff58cfd052482e0a8a0c464c04559649b546121e7b72dab6b7793c7df78aba0335cbd067ff0905f0883ddb775d224 |
C:\Users\Admin\AppData\Local\Temp\Prisoner
| MD5 | fa2ad2c0091ba19cbc9339c9e21b76dc |
| SHA1 | dada141a7fe31c487832ae5cae59384df46d3c48 |
| SHA256 | 832347756573f0b1f143d2181716493df078dc19757760fb978f27bbd32db8bd |
| SHA512 | c9bd863138586fc982536fb69bb48ec20d8d68360a31d6985536b073b58f0f7a41449658c6f60491eda6ca51e3cf30e78fb07ad4f1379628d16a18e00be7e7f9 |
C:\Users\Admin\AppData\Local\Temp\Compatible
| MD5 | d6e7ad57b5f8619d610a5a569ee51ba9 |
| SHA1 | 8c0d6c27e640fcee095fc6d3495343523eb57689 |
| SHA256 | e3a992895fb7f239e0641561e40f62b5b42c1f602164f2a1a648b4a747888cb4 |
| SHA512 | 8c392443223ad0b81ce56c749307570081567ec502dc800a6d73e23bb81ced08c8d93a660e6949d3aa20bfbcdad554a47f96b50d0a479bcae57cef1f9f841fd3 |
C:\Users\Admin\AppData\Local\Temp\Merchants
| MD5 | c718448fc0186eaef23c22ecd4538a0f |
| SHA1 | 69eda4415d2c78737821cadf0531f6976a700b08 |
| SHA256 | 8bfd4958ab0465144dc5fae27684ef902389673f812acfbeaf55b114280020af |
| SHA512 | 149d9d90ce4c9b1bfa59d4ce746a710c0b9bac9930eb68224cd6db4522cb2a34ca7fc0ee6c1962624753b11450b9a3b65677d48521b07b50c1bd2576a2cc6bad |
C:\Users\Admin\AppData\Local\Temp\Mcdonald
| MD5 | 8b953b374762bf4bd86ad80f5f2ff8d2 |
| SHA1 | 70952f8c55e815f27ad74ac1c496c6a4c3f5adf1 |
| SHA256 | 232a81b7dc107ed79792d55ef9dfff6e522f429c8c2722e96b1f3444d8070634 |
| SHA512 | 2850db6252fa0e348938aea2f0c3a055bfef936a21b5327605be87e4c17a58ef82ce58577ec2d1978c6744ffee76fe42412eb7854c69806f87d878c7cb25aea0 |
C:\Users\Admin\AppData\Local\Temp\Album
| MD5 | 142a4ccb79b82a8744e9e569ed904a2c |
| SHA1 | e16b56a6e4d4bb01ce7a1cf2eecf30ae8f8ffb4d |
| SHA256 | 8654680a492b898cfa35889bc69f7acf77a817e404f3f05f58ffb73e686b6d23 |
| SHA512 | e148da9a7e01915d54052203601fe248e022956ef5763a931590b66797cb573f5a07f2c12dbe9aa4f2099b11f806c0d2b43b5c073d333dcb36a63c4fc1070496 |
C:\Users\Admin\AppData\Local\Temp\Candidates
| MD5 | 2a3e1a04c3a5a22f5178f6d4bbf13e4b |
| SHA1 | b5ec0c3088fb6af22e65fb4901b44700cc634ba1 |
| SHA256 | 2b07021e5210404f0d4e3c4e74d95d9154a1bd4c67ad4299043528ca0cb9bc87 |
| SHA512 | d369d23861568d1eb6d39874c5dd059586d476a9b98d1c72671f879ae68ec3e75f1c5f98a9126a1427f446dfac17026c24cb4bc424f02f1dec3f48aba2936611 |
C:\Users\Admin\AppData\Local\Temp\Extreme
| MD5 | 06e3e5a58599f58ef3b8ea97b950149a |
| SHA1 | 98478466ae7ae33cbd0e10a3a0f8607c6e0268fb |
| SHA256 | ab684d18f31a2e8893ca337d30ecd697c7c7324e734faf4d1032d49b176e87b0 |
| SHA512 | cb99f29e9442af230e6b5060e2a141177ac949dcd915186bcc24d464d296684dba707b13d15eaa4764bf54818aa57907e06da19abae218de8de5463f8c271d01 |
C:\Users\Admin\AppData\Local\Temp\Dept
| MD5 | 15f9705c945e9540cc821f3ef941d379 |
| SHA1 | 6dd641acccc9d8cd6c9790f60ed4b8525ae48dc7 |
| SHA256 | 832d4fb39077bee580a3c90456f803dcff5627169d87c6a9a0c0b3866e560c13 |
| SHA512 | 80f0d21697997443a5037c2eb90d36cc5820d07649b6b451443bce0019d6f40eb4df685da53577e9d348397f6d2abfd61fa6b3784c0d9f7dc156c37bc2890c6d |
C:\Users\Admin\AppData\Local\Temp\Edmonton
| MD5 | 5d7c20805d320d47ab6ae65794214948 |
| SHA1 | 639809c3442d96a5a20edc8eabd1a6cac2777dbd |
| SHA256 | f896f837e3da1a5f3412789d252adfe0b178e3413d2662a0803de662be967194 |
| SHA512 | 8e4dd5baafef95a07f0f4a24e948693e47a9edbac5b51e9f9c2d3c42c4ccea9a0604c682840d3b034cbc34cc1cc8ca803f4c74c40e39a1eb3492096fe25b6193 |
C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\677738\s
| MD5 | dcead7456af51437d621d9e036dc0bfa |
| SHA1 | 3f4bd88fca78b54e7affe7c867a14395e0eb1f45 |
| SHA256 | 32ee510f9a33e6eba1dbac1e65297bbd8473347de7a77073c72e6e60767fad6d |
| SHA512 | 9166d37d921410310e6c4ca9ee673ed449d901dd88d2036936f171cfe86e764b022d6832e029912b2be1b3157d16361b2e2a972ee27135f76d66d43144cc71d9 |
memory/2016-425-0x0000000003F70000-0x0000000003FC9000-memory.dmp
memory/2016-426-0x0000000003F70000-0x0000000003FC9000-memory.dmp
memory/2016-427-0x0000000003F70000-0x0000000003FC9000-memory.dmp
memory/2016-429-0x0000000003F70000-0x0000000003FC9000-memory.dmp
memory/2016-428-0x0000000003F70000-0x0000000003FC9000-memory.dmp
memory/2016-430-0x0000000003F70000-0x0000000003FC9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:58
Reported
2024-11-13 15:01
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BarriersB | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| File opened for modification | C:\Windows\PrefixRough | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| File opened for modification | C:\Windows\PickingNhs | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe
"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Zus Zus.cmd & Zus.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 677738
C:\Windows\SysWOW64\findstr.exe
findstr /V "PhiladelphiaFacultyInsulinDifferent" Prisoner
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Merchants + ..\Mcdonald + ..\Album + ..\Candidates + ..\Extreme + ..\Dept + ..\Edmonton s
C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
Farming.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vnEnEAsZbRjillROWxtxgv.vnEnEAsZbRjillROWxtxgv | udp |
| US | 8.8.8.8:53 | snail-r1ced.cyou | udp |
| US | 104.21.84.251:443 | snail-r1ced.cyou | tcp |
| US | 104.21.84.251:443 | snail-r1ced.cyou | tcp |
| US | 104.21.84.251:443 | snail-r1ced.cyou | tcp |
| US | 104.21.84.251:443 | snail-r1ced.cyou | tcp |
| US | 104.21.84.251:443 | snail-r1ced.cyou | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Zus
| MD5 | f57b4f35dea7f939528515d2877743b7 |
| SHA1 | 8c65e425e7912f1fb2b55acd189309fbb1700d4c |
| SHA256 | 4432a67e3d73c28725306dae8933cb9570073cd1c4e1a1a0b2d364d7d3878809 |
| SHA512 | be15b696b7d15c4ccba783370292796370bff58cfd052482e0a8a0c464c04559649b546121e7b72dab6b7793c7df78aba0335cbd067ff0905f0883ddb775d224 |
C:\Users\Admin\AppData\Local\Temp\Prisoner
| MD5 | fa2ad2c0091ba19cbc9339c9e21b76dc |
| SHA1 | dada141a7fe31c487832ae5cae59384df46d3c48 |
| SHA256 | 832347756573f0b1f143d2181716493df078dc19757760fb978f27bbd32db8bd |
| SHA512 | c9bd863138586fc982536fb69bb48ec20d8d68360a31d6985536b073b58f0f7a41449658c6f60491eda6ca51e3cf30e78fb07ad4f1379628d16a18e00be7e7f9 |
C:\Users\Admin\AppData\Local\Temp\Compatible
| MD5 | d6e7ad57b5f8619d610a5a569ee51ba9 |
| SHA1 | 8c0d6c27e640fcee095fc6d3495343523eb57689 |
| SHA256 | e3a992895fb7f239e0641561e40f62b5b42c1f602164f2a1a648b4a747888cb4 |
| SHA512 | 8c392443223ad0b81ce56c749307570081567ec502dc800a6d73e23bb81ced08c8d93a660e6949d3aa20bfbcdad554a47f96b50d0a479bcae57cef1f9f841fd3 |
C:\Users\Admin\AppData\Local\Temp\Merchants
| MD5 | c718448fc0186eaef23c22ecd4538a0f |
| SHA1 | 69eda4415d2c78737821cadf0531f6976a700b08 |
| SHA256 | 8bfd4958ab0465144dc5fae27684ef902389673f812acfbeaf55b114280020af |
| SHA512 | 149d9d90ce4c9b1bfa59d4ce746a710c0b9bac9930eb68224cd6db4522cb2a34ca7fc0ee6c1962624753b11450b9a3b65677d48521b07b50c1bd2576a2cc6bad |
C:\Users\Admin\AppData\Local\Temp\Mcdonald
| MD5 | 8b953b374762bf4bd86ad80f5f2ff8d2 |
| SHA1 | 70952f8c55e815f27ad74ac1c496c6a4c3f5adf1 |
| SHA256 | 232a81b7dc107ed79792d55ef9dfff6e522f429c8c2722e96b1f3444d8070634 |
| SHA512 | 2850db6252fa0e348938aea2f0c3a055bfef936a21b5327605be87e4c17a58ef82ce58577ec2d1978c6744ffee76fe42412eb7854c69806f87d878c7cb25aea0 |
C:\Users\Admin\AppData\Local\Temp\Album
| MD5 | 142a4ccb79b82a8744e9e569ed904a2c |
| SHA1 | e16b56a6e4d4bb01ce7a1cf2eecf30ae8f8ffb4d |
| SHA256 | 8654680a492b898cfa35889bc69f7acf77a817e404f3f05f58ffb73e686b6d23 |
| SHA512 | e148da9a7e01915d54052203601fe248e022956ef5763a931590b66797cb573f5a07f2c12dbe9aa4f2099b11f806c0d2b43b5c073d333dcb36a63c4fc1070496 |
C:\Users\Admin\AppData\Local\Temp\Candidates
| MD5 | 2a3e1a04c3a5a22f5178f6d4bbf13e4b |
| SHA1 | b5ec0c3088fb6af22e65fb4901b44700cc634ba1 |
| SHA256 | 2b07021e5210404f0d4e3c4e74d95d9154a1bd4c67ad4299043528ca0cb9bc87 |
| SHA512 | d369d23861568d1eb6d39874c5dd059586d476a9b98d1c72671f879ae68ec3e75f1c5f98a9126a1427f446dfac17026c24cb4bc424f02f1dec3f48aba2936611 |
C:\Users\Admin\AppData\Local\Temp\Extreme
| MD5 | 06e3e5a58599f58ef3b8ea97b950149a |
| SHA1 | 98478466ae7ae33cbd0e10a3a0f8607c6e0268fb |
| SHA256 | ab684d18f31a2e8893ca337d30ecd697c7c7324e734faf4d1032d49b176e87b0 |
| SHA512 | cb99f29e9442af230e6b5060e2a141177ac949dcd915186bcc24d464d296684dba707b13d15eaa4764bf54818aa57907e06da19abae218de8de5463f8c271d01 |
C:\Users\Admin\AppData\Local\Temp\Dept
| MD5 | 15f9705c945e9540cc821f3ef941d379 |
| SHA1 | 6dd641acccc9d8cd6c9790f60ed4b8525ae48dc7 |
| SHA256 | 832d4fb39077bee580a3c90456f803dcff5627169d87c6a9a0c0b3866e560c13 |
| SHA512 | 80f0d21697997443a5037c2eb90d36cc5820d07649b6b451443bce0019d6f40eb4df685da53577e9d348397f6d2abfd61fa6b3784c0d9f7dc156c37bc2890c6d |
C:\Users\Admin\AppData\Local\Temp\Edmonton
| MD5 | 5d7c20805d320d47ab6ae65794214948 |
| SHA1 | 639809c3442d96a5a20edc8eabd1a6cac2777dbd |
| SHA256 | f896f837e3da1a5f3412789d252adfe0b178e3413d2662a0803de662be967194 |
| SHA512 | 8e4dd5baafef95a07f0f4a24e948693e47a9edbac5b51e9f9c2d3c42c4ccea9a0604c682840d3b034cbc34cc1cc8ca803f4c74c40e39a1eb3492096fe25b6193 |
\Users\Admin\AppData\Local\Temp\677738\Farming.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\677738\s
| MD5 | dcead7456af51437d621d9e036dc0bfa |
| SHA1 | 3f4bd88fca78b54e7affe7c867a14395e0eb1f45 |
| SHA256 | 32ee510f9a33e6eba1dbac1e65297bbd8473347de7a77073c72e6e60767fad6d |
| SHA512 | 9166d37d921410310e6c4ca9ee673ed449d901dd88d2036936f171cfe86e764b022d6832e029912b2be1b3157d16361b2e2a972ee27135f76d66d43144cc71d9 |
memory/2976-427-0x0000000003640000-0x0000000003699000-memory.dmp
memory/2976-428-0x0000000003640000-0x0000000003699000-memory.dmp
memory/2976-429-0x0000000003640000-0x0000000003699000-memory.dmp
memory/2976-431-0x0000000003640000-0x0000000003699000-memory.dmp
memory/2976-432-0x0000000003640000-0x0000000003699000-memory.dmp
memory/2976-430-0x0000000003640000-0x0000000003699000-memory.dmp