Malware Analysis Report

2024-10-19 02:14

Sample ID 231227-d1c1msghd6
Target a0e87c4b9483fae95f6f57946023d3e7
SHA256 bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
Tags
nullmixer smokeloader vidar 706 pub5 aspackv2 backdoor dropper stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912

Threat Level: Known bad

The file a0e87c4b9483fae95f6f57946023d3e7 was found to be: Known bad.

Malicious Activity Summary

nullmixer smokeloader vidar 706 pub5 aspackv2 backdoor dropper stealer trojan

NullMixer

Vidar

SmokeLoader

Vidar Stealer

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Program crash

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 03:28

Reported

2024-01-07 13:34

Platform

win7-20231215-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe

"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_5.exe

sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_7.exe

sahiba_7.exe

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

Triste.exe.com n

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_3.exe

sahiba_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 416

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_8.exe

sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_4.exe

sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_2.exe

sahiba_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe

sahiba_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 964

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 XvFGsHKHPpgkvS.XvFGsHKHPpgkvS udp
US 8.8.8.8:53 pcfixmy-download-96.xyz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 shpak125.tumblr.com udp
US 74.114.154.18:443 shpak125.tumblr.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.18.145.235:80 www.maxmind.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 pplzy.pw udp
US 8.8.8.8:53 eurekabike.com udp
US 8.8.8.8:53 file.ekkggr3.com udp
US 8.8.8.8:53 www.invch.com udp
US 8.8.8.8:53 g-farlab.com udp
UA 194.145.227.159:80 tcp
RU 193.56.146.36:80 tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.38.233:80 crl.usertrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 160.153.249.159:443 eurekabike.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
US 3.141.96.53:443 live.goatgame.live tcp
SG 172.104.187.4:80 integrasidata.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 136.144.41.201:80 tcp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d772d6902200f5d4599a9b27d0d8f9e6
SHA1 564eefb3fabe655b2fb51f492959b158cb20e12d
SHA256 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA512 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 9b44481728f8fd6894874cf9171e81f1
SHA1 e36f10ea66dbf472629b73ed98595a850c9045a8
SHA256 d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada
SHA512 cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1aa73f76e15a9a8c7255cb9611b4b2ca
SHA1 7718f384523ddb84ac52eead8c3b14f5f80aa6d6
SHA256 4c97ce65c393e5c917cf8704d9b35e0e034a75e5a7baa8326c534a7bedba04fe
SHA512 f582003e4af18edca96ce2e4b6fae9187c245586dc1782e2af1ec1ebffc4e222a5b11627270dc8c57102d6e489f3bacd299caaa2cfe3c05ec26583bbddef398d

memory/2716-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2716-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2716-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-81-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2716-85-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1820-130-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/1984-132-0x0000000000C20000-0x0000000000C46000-memory.dmp

memory/1984-149-0x00000000002D0000-0x00000000002EE000-memory.dmp

memory/1820-150-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1984-151-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2896-159-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/1984-158-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/1436-157-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1436-156-0x00000000021F0000-0x000000000228D000-memory.dmp

memory/1436-155-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1820-154-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2896-153-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2896-152-0x00000000002D0000-0x00000000002D9000-memory.dmp

memory/2716-88-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2716-87-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2716-86-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2716-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2716-82-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2716-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2716-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2716-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-70-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2716-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2716-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2716-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2716-58-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2396-50-0x0000000002F40000-0x000000000305E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe

MD5 974260c778328260996faa74824f1cef
SHA1 ed5aab39b5e9f3c3f70054d2bbbce74570a92c91
SHA256 a0e68d77cbc879c51b341c087507fdf4762a9a1071632f9cf6fd4f77ceae6262
SHA512 065540d192593af6eb21eb43ce1d13309c8a11623be0843525294836b0227a74e443585eb0214a918cb1587309e1f8eaaa311227493e3d29f5920bc56e80cee8

\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe

MD5 2374477610c8c4f47a83a5ba028abb59
SHA1 ac155fea47dfaa9f6e8a8e8f20c9b5442e0683b9
SHA256 5fa7c251a656ab30e3814be14132bfa4a7320c405d6b632f24240b91e6ecb8ea
SHA512 ee38567e57f7ada3117831ee416a2bc6395cf75032f0592ffe29db246a73d144b4c1419bb666d8e1950d0e0a79236dbc2c2e2109bca8d3f15496498934dea990

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 3fccbfccf160a096f24e2aec7ca8e815
SHA1 3db913dfc6184f8f62b3053f6d2f55eb903bc7a0
SHA256 9d8c7d28012ce58e8cc85c0763f45e05471fc69ca4a98955b7a70a3e0589a352
SHA512 3e3557b5f65a24cda49031b66cf0cec4ed419d4301963f3f7f78755228e0efa3d75635e07ed23e33e071e16318ad95457823f65ff07df42726134233207f2823

memory/1184-238-0x0000000002610000-0x0000000002625000-memory.dmp

memory/2896-239-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1436-301-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2716-300-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2716-299-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2716-298-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2716-297-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2716-296-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2716-295-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2484-305-0x0000000000090000-0x0000000000098000-memory.dmp

memory/1984-334-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2484-341-0x0000000000090000-0x0000000000098000-memory.dmp

memory/2484-339-0x0000000000090000-0x0000000000098000-memory.dmp

memory/2484-336-0x0000000000090000-0x0000000000098000-memory.dmp

memory/2484-335-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1820-366-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1436-371-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1820-370-0x000000001B200000-0x000000001B280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 03:28

Reported

2024-01-07 13:34

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe

"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_7.exe

sahiba_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe

sahiba_1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1128 -ip 1128

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_8.exe

sahiba_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_3.exe

sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

Triste.exe.com n

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_5.exe

sahiba_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_6.exe

sahiba_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_4.exe

sahiba_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\sahiba_2.exe

sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sahiba_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS472AE877\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS472AE877\setup_install.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pcfixmy-download-96.xyz udp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 XvFGsHKHPpgkvS.XvFGsHKHPpgkvS udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 shpak125.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.18:443 shpak125.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 44.137.20.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
GB 96.17.178.209:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 305c00c540e5c010533765562d65c13e
SHA1 aacc016e7852e78e73a26cc19e6aca30b4a1161a
SHA256 bf1a789cc4befb3927cf39258e6111b2bbb8720b8e8d811daefdcd6a45500b4a
SHA512 b1b86d6d8d62f8f7a9c12902da86ba54a651094360101810f6fb68937531caed8ac09973462cc9f20f0381da1b634049fb6ca0f6c5b74b57fae2c74bece7867a

memory/1128-46-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1128-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1128-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1128-73-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-77-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3188-95-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp

memory/1252-109-0x0000000002C00000-0x0000000002C1E000-memory.dmp

memory/1252-110-0x000000001BA00000-0x000000001BA10000-memory.dmp

memory/3188-107-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/1252-105-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp

memory/1252-96-0x0000000000C70000-0x0000000000C96000-memory.dmp

memory/3188-90-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/1128-117-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1128-119-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1128-127-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3980-128-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1968-126-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1128-125-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1968-121-0x0000000000590000-0x0000000000599000-memory.dmp

memory/1968-118-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/1128-116-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3980-115-0x0000000002180000-0x000000000221D000-memory.dmp

memory/3980-114-0x0000000000520000-0x0000000000620000-memory.dmp

memory/1128-113-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-76-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-75-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-74-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-72-0x0000000000400000-0x000000000051E000-memory.dmp

memory/1128-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1128-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1128-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1128-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1128-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1128-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1128-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1128-62-0x00000000007E0000-0x000000000086F000-memory.dmp

memory/1128-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1128-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3980-146-0x0000000002180000-0x000000000221D000-memory.dmp

memory/3980-145-0x0000000000400000-0x00000000004C0000-memory.dmp