Malware Analysis Report

2024-11-13 19:35

Sample ID 230626-a5daesfd54
Target Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe
SHA256 5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
Tags
nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor dropper evasion loader main stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

Threat Level: Known bad

The file Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader smokeloader vidar 706 aspackv2 backdoor dropper evasion loader main stealer trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Vidar

PrivateLoader

NullMixer

Vidar Stealer

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 00:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 00:47

Reported

2023-06-26 00:49

Platform

win7-20230621-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu189295986a7df934.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18fd253544aed.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1376 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18573f94dd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18373e6fac988e1fd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu185cfab8a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18ede124d8468708.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18fd253544aed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18f42bf0e3dedd8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

Thu18573f94dd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18ff146cab.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe" -a

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu189295986a7df934.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

Thu18373e6fac988e1fd.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe

Thu18ff146cab.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu189295986a7df934.exe

Thu189295986a7df934.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

Thu18f42bf0e3dedd8c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18fd253544aed.exe

Thu18fd253544aed.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

Thu185cfab8a1.exe

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ede124d8468708.exe

Thu18ede124d8468708.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1444

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 hsiens.xyz udp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
NL 37.0.10.214:80 tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
N/A 127.0.0.1:49260 tcp
N/A 127.0.0.1:49262 tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 one-wedding-film.xyz udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 getonlinewoostudio.xyz udp
US 8.8.8.8:53 w0rkinginstanc3.xyz udp
US 8.8.8.8:53 2no.co udp
DE 148.251.234.93:443 2no.co tcp
DE 148.251.234.93:443 2no.co tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.18:443 eduarroma.tumblr.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
NL 37.0.10.244:80 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
NL 212.193.30.115:80 212.193.30.115 tcp
NL 107.182.129.251:80 107.182.129.251 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.215.67:80 www.maxmind.com tcp
US 104.17.215.67:443 www.maxmind.com tcp
US 104.17.215.67:443 www.maxmind.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS8248330C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS8248330C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS8248330C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS8248330C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8248330C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

memory/1496-118-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1496-119-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1496-120-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1496-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1496-123-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1496-122-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1496-124-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1496-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1496-126-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1496-127-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1496-129-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1496-128-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ede124d8468708.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe

MD5 951aaadbe4e0e39a7ab8f703694e887c
SHA1 c555b3a6701ada68cfd6d02c4bf0bc08ff73810e
SHA256 5a2934ac710f5995c112da4a32fde9d3de7d9ed3ea0ac5b18a22423d280b5c6d
SHA512 56a605bf8a2f2d1a5068f238578f991f44497755297a44e4fc4dad78c2c7d49e52d43979fb0f28a9af0513292da4a747beeb337edd156139a97f597ce23666d9

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18fd253544aed.exe

MD5 f994e0fe5d9442bb6acc18855fea2f32
SHA1 dd5e4830a6c9e67f23c818baadade7ee18e0c72c
SHA256 1f415ba6299b928a8c28e3223b4376f9d06673b65f0921edb23c1b63e5518bf4
SHA512 38a8af841dbd97c2138c5200d656b25b5eed8738049a7c92f745a810bb15f21f8d3d50c68fe18a9562bb7b0cb81da1d71310c7513eb9de9a7c2f63fb8e9f51c3

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu189295986a7df934.exe

MD5 de595e972bd04cf93648de130f5fb50d
SHA1 4c05d7c87aa6f95a95709e633f97c715962a52c4
SHA256 ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
SHA512 1f4b6c60c78fe9e4a616d6d1a71a9870905ef1aadebd26cf35eac87e10be79db5f7cecdef9d835639b50f7394b6fce9285ff39a8d239768532ba7ed6c7cfdb99

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18fd253544aed.exe

MD5 f994e0fe5d9442bb6acc18855fea2f32
SHA1 dd5e4830a6c9e67f23c818baadade7ee18e0c72c
SHA256 1f415ba6299b928a8c28e3223b4376f9d06673b65f0921edb23c1b63e5518bf4
SHA512 38a8af841dbd97c2138c5200d656b25b5eed8738049a7c92f745a810bb15f21f8d3d50c68fe18a9562bb7b0cb81da1d71310c7513eb9de9a7c2f63fb8e9f51c3

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ede124d8468708.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe

MD5 951aaadbe4e0e39a7ab8f703694e887c
SHA1 c555b3a6701ada68cfd6d02c4bf0bc08ff73810e
SHA256 5a2934ac710f5995c112da4a32fde9d3de7d9ed3ea0ac5b18a22423d280b5c6d
SHA512 56a605bf8a2f2d1a5068f238578f991f44497755297a44e4fc4dad78c2c7d49e52d43979fb0f28a9af0513292da4a747beeb337edd156139a97f597ce23666d9

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu189295986a7df934.exe

MD5 de595e972bd04cf93648de130f5fb50d
SHA1 4c05d7c87aa6f95a95709e633f97c715962a52c4
SHA256 ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
SHA512 1f4b6c60c78fe9e4a616d6d1a71a9870905ef1aadebd26cf35eac87e10be79db5f7cecdef9d835639b50f7394b6fce9285ff39a8d239768532ba7ed6c7cfdb99

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu189295986a7df934.exe

MD5 de595e972bd04cf93648de130f5fb50d
SHA1 4c05d7c87aa6f95a95709e633f97c715962a52c4
SHA256 ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
SHA512 1f4b6c60c78fe9e4a616d6d1a71a9870905ef1aadebd26cf35eac87e10be79db5f7cecdef9d835639b50f7394b6fce9285ff39a8d239768532ba7ed6c7cfdb99

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18ff146cab.exe

MD5 951aaadbe4e0e39a7ab8f703694e887c
SHA1 c555b3a6701ada68cfd6d02c4bf0bc08ff73810e
SHA256 5a2934ac710f5995c112da4a32fde9d3de7d9ed3ea0ac5b18a22423d280b5c6d
SHA512 56a605bf8a2f2d1a5068f238578f991f44497755297a44e4fc4dad78c2c7d49e52d43979fb0f28a9af0513292da4a747beeb337edd156139a97f597ce23666d9

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

memory/1376-168-0x00000000001E0000-0x00000000001E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

memory/1768-173-0x00000000046B0000-0x000000000474D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

memory/1436-174-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/1072-170-0x0000000000E90000-0x0000000000E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18fd253544aed.exe

MD5 f994e0fe5d9442bb6acc18855fea2f32
SHA1 dd5e4830a6c9e67f23c818baadade7ee18e0c72c
SHA256 1f415ba6299b928a8c28e3223b4376f9d06673b65f0921edb23c1b63e5518bf4
SHA512 38a8af841dbd97c2138c5200d656b25b5eed8738049a7c92f745a810bb15f21f8d3d50c68fe18a9562bb7b0cb81da1d71310c7513eb9de9a7c2f63fb8e9f51c3

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1764-175-0x0000000000A20000-0x0000000000A4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8248330C\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1764-185-0x0000000000140000-0x0000000000146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A10.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar2A51.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/1764-203-0x0000000000150000-0x0000000000170000-memory.dmp

memory/1764-204-0x0000000000380000-0x0000000000386000-memory.dmp

memory/2024-251-0x0000000002810000-0x0000000002850000-memory.dmp

memory/1072-252-0x0000000000450000-0x00000000004D0000-memory.dmp

memory/1376-253-0x000000001B190000-0x000000001B210000-memory.dmp

memory/2024-262-0x0000000002810000-0x0000000002850000-memory.dmp

memory/1764-263-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/2024-264-0x0000000002810000-0x0000000002850000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

\Users\Admin\AppData\Local\Temp\7zS8248330C\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

memory/1296-655-0x0000000002AE0000-0x0000000002AF5000-memory.dmp

memory/1436-667-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/1436-664-0x0000000000400000-0x0000000002CBB000-memory.dmp

memory/1496-686-0x0000000000400000-0x000000000051B000-memory.dmp

memory/1496-688-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1496-689-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1496-690-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1496-691-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1496-692-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1768-702-0x0000000000400000-0x0000000002D17000-memory.dmp

memory/1768-762-0x00000000046B0000-0x000000000474D000-memory.dmp

memory/1072-764-0x0000000000450000-0x00000000004D0000-memory.dmp

memory/1376-765-0x000000001B190000-0x000000001B210000-memory.dmp

memory/1880-2408-0x0000000003F80000-0x00000000041D4000-memory.dmp

memory/1880-2409-0x0000000003F80000-0x00000000041D4000-memory.dmp

memory/1880-2418-0x0000000003F80000-0x00000000041D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 00:47

Reported

2023-06-26 00:49

Platform

win10v2004-20230621-en

Max time kernel

64s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 5084 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 5084 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe
PID 4124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe
PID 4124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe
PID 2968 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe
PID 4864 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe
PID 4292 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
PID 4292 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
PID 4292 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe
PID 3100 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe
PID 3100 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe
PID 1804 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe
PID 1804 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe
PID 1804 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe
PID 4312 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe
PID 4312 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe
PID 4312 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe
PID 956 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe
PID 956 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe
PID 4664 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe
PID 4664 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe
PID 3240 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe
PID 3240 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe
PID 3240 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe
PID 3432 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe
PID 1648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe
PID 1648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Agentb.krec-5c97c35e6537283493bb.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu189295986a7df934.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe

Thu189295986a7df934.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2968 -ip 2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe

Thu18f42bf0e3dedd8c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe

Thu18ede124d8468708.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe

Thu18373e6fac988e1fd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

Thu18573f94dd.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe

Thu18fd253544aed.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe

Thu185cfab8a1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe

Thu18ff146cab.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18fd253544aed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18f42bf0e3dedd8c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18ff146cab.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu185cfab8a1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18ede124d8468708.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18373e6fac988e1fd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Thu18573f94dd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 556

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1832

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 544 -p 4508 -ip 4508

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4508 -s 1772

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 hsiens.xyz udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 one-wedding-film.xyz udp
US 8.8.8.8:53 getonlinewoostudio.xyz udp
US 8.8.8.8:53 w0rkinginstanc3.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 2no.co udp
DE 148.251.234.93:443 2no.co tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 135.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
N/A 127.0.0.1:49794 tcp
N/A 127.0.0.1:49796 tcp
NL 37.0.10.214:80 tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 74.114.154.22:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 126.137.241.8.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 37.0.10.244:80 tcp
DE 91.195.240.135:443 live.goatgame.live tcp
US 8.8.8.8:53 varmisende.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 fernandomayol.com udp
US 8.8.8.8:53 nextlytm.com udp
US 8.8.8.8:53 people4jan.com udp
US 204.11.56.48:80 people4jan.com tcp
US 8.8.8.8:53 asfaltwerk.com udp
US 8.8.8.8:53 48.56.11.204.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
US 20.189.173.4:443 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
DE 91.195.240.135:443 live.goatgame.live tcp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05d543376b2739fe3daafaf2a6cb5bf7
SHA1 0891ee47920780b13920ce41e0fa87f544de53a3
SHA256 53b55897c12afc0c1f45b292ad8f2d9712705fea7fd487f9e649c49e77ce4b50
SHA512 8a75ff2b2d19a4e3cfefd14d05b3acc487b6235d2fb665c8d80648bf06260babdc91d5248447891b2101c8d2fe5693397bb21195362360dbd0e264a924712bfa

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\setup_install.exe

MD5 4aa835f8927dbf4544dbc38295d54266
SHA1 98a8e4dacb725820d5c65cdf83990aabf8da9024
SHA256 28b70d0cab3e1121eb047989b7501a21ea5c37f5f009baaaf3b3adf59cb37b63
SHA512 e9d140a6686115315dbf5e914b2c335cf5ca1f11aa7b9b2633763b16be8f30e9eec09cf7c793dd2611282350a4dffa5637d134ef646222df5ea3ad1632ba4b4a

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2968-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2968-193-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2968-191-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2968-195-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2968-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2968-194-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2968-197-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2968-198-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2968-201-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2968-210-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe

MD5 de595e972bd04cf93648de130f5fb50d
SHA1 4c05d7c87aa6f95a95709e633f97c715962a52c4
SHA256 ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
SHA512 1f4b6c60c78fe9e4a616d6d1a71a9870905ef1aadebd26cf35eac87e10be79db5f7cecdef9d835639b50f7394b6fce9285ff39a8d239768532ba7ed6c7cfdb99

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu189295986a7df934.exe

MD5 de595e972bd04cf93648de130f5fb50d
SHA1 4c05d7c87aa6f95a95709e633f97c715962a52c4
SHA256 ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
SHA512 1f4b6c60c78fe9e4a616d6d1a71a9870905ef1aadebd26cf35eac87e10be79db5f7cecdef9d835639b50f7394b6fce9285ff39a8d239768532ba7ed6c7cfdb99

memory/5052-218-0x0000000000070000-0x0000000000078000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

memory/3312-220-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe

MD5 951aaadbe4e0e39a7ab8f703694e887c
SHA1 c555b3a6701ada68cfd6d02c4bf0bc08ff73810e
SHA256 5a2934ac710f5995c112da4a32fde9d3de7d9ed3ea0ac5b18a22423d280b5c6d
SHA512 56a605bf8a2f2d1a5068f238578f991f44497755297a44e4fc4dad78c2c7d49e52d43979fb0f28a9af0513292da4a747beeb337edd156139a97f597ce23666d9

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe

MD5 f994e0fe5d9442bb6acc18855fea2f32
SHA1 dd5e4830a6c9e67f23c818baadade7ee18e0c72c
SHA256 1f415ba6299b928a8c28e3223b4376f9d06673b65f0921edb23c1b63e5518bf4
SHA512 38a8af841dbd97c2138c5200d656b25b5eed8738049a7c92f745a810bb15f21f8d3d50c68fe18a9562bb7b0cb81da1d71310c7513eb9de9a7c2f63fb8e9f51c3

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18fd253544aed.exe

MD5 f994e0fe5d9442bb6acc18855fea2f32
SHA1 dd5e4830a6c9e67f23c818baadade7ee18e0c72c
SHA256 1f415ba6299b928a8c28e3223b4376f9d06673b65f0921edb23c1b63e5518bf4
SHA512 38a8af841dbd97c2138c5200d656b25b5eed8738049a7c92f745a810bb15f21f8d3d50c68fe18a9562bb7b0cb81da1d71310c7513eb9de9a7c2f63fb8e9f51c3

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18f42bf0e3dedd8c.exe

MD5 05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512 b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ff146cab.exe

MD5 951aaadbe4e0e39a7ab8f703694e887c
SHA1 c555b3a6701ada68cfd6d02c4bf0bc08ff73810e
SHA256 5a2934ac710f5995c112da4a32fde9d3de7d9ed3ea0ac5b18a22423d280b5c6d
SHA512 56a605bf8a2f2d1a5068f238578f991f44497755297a44e4fc4dad78c2c7d49e52d43979fb0f28a9af0513292da4a747beeb337edd156139a97f597ce23666d9

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu185cfab8a1.exe

MD5 b1a437a7d8cb5e0df6593590465b95de
SHA1 982dd75cff6fd982f70e8af880deff24b32a62a7
SHA256 aad9cc26769586cfc75fda04e348a51310c9aefc78fb3e0fb663ef872d53052e
SHA512 61ab228bfca510344a409ecc1bdac4b89a7037d5f85fb24c706f1fd61a552ac7dd776a185dc13dadb89248e7586eb643182acc6d12383232d481bddffd72d1c8

memory/4540-223-0x0000000002E00000-0x0000000002E09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18ede124d8468708.exe

MD5 0a0d22f1c9179a67d04166de0db02dbb
SHA1 106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256 a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA512 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

memory/1664-224-0x0000000004A00000-0x0000000004A9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18373e6fac988e1fd.exe

MD5 5f0707404c2cbb84dfed31d716934010
SHA1 b143d1bb5a1d28fec5decae7152bc4195d452782
SHA256 477f0af44e919e1d977f127a7c9fc63bdf6f2bbc46423611ac6c41688c299acf
SHA512 a7dd5c3d6c00e9b52699cd358a266d0e08aaa8ea71947bfcccb2ee4c554f26216807e0a685881a8b17d5a4f15366f5bb129e944714f20d7669bd12a79a60128a

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2968-199-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4308-225-0x0000000000DC0000-0x0000000000DEC000-memory.dmp

memory/3312-226-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/5064-227-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/5052-228-0x000000001ACA0000-0x000000001ACB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1072366\Thu18573f94dd.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/5064-229-0x0000000005880000-0x0000000005EA8000-memory.dmp

memory/5064-231-0x00000000055A0000-0x00000000055C2000-memory.dmp

memory/5064-239-0x0000000005F20000-0x0000000005F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wc0oqgr.njf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2968-233-0x0000000000400000-0x000000000051B000-memory.dmp

memory/5064-232-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/2968-244-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2968-245-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2968-249-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2968-247-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5064-246-0x0000000005240000-0x0000000005250000-memory.dmp

memory/5064-248-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4308-250-0x0000000002F10000-0x0000000002F20000-memory.dmp

memory/2968-251-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5064-253-0x0000000006560000-0x000000000657E000-memory.dmp

memory/5064-254-0x0000000005240000-0x0000000005250000-memory.dmp

memory/5064-255-0x0000000006B30000-0x0000000006B62000-memory.dmp

memory/5064-256-0x0000000073CA0000-0x0000000073CEC000-memory.dmp

memory/5064-266-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/5064-267-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/5064-268-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/5064-269-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/5064-270-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

memory/5064-271-0x0000000007AE0000-0x0000000007B76000-memory.dmp

memory/5064-272-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

memory/5064-273-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/5064-274-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/3252-277-0x00000000026D0000-0x00000000026E5000-memory.dmp

memory/4540-279-0x0000000000400000-0x0000000002CBB000-memory.dmp

memory/4540-281-0x0000000002E00000-0x0000000002E09000-memory.dmp

memory/1664-285-0x0000000000400000-0x0000000002D17000-memory.dmp

memory/1664-289-0x0000000004A00000-0x0000000004A9D000-memory.dmp

memory/3312-290-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/5052-291-0x000000001ACA0000-0x000000001ACB0000-memory.dmp