Malware Analysis Report

2024-10-19 02:13

Sample ID 231230-b5m1aschak
Target 0a7b9a3a120d129f53edd0c6fa2564b2
SHA256 c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
Tags
nullmixer privateloader risepro smokeloader vidar zgrat 706 pub5 aspackv2 backdoor dropper evasion loader rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed

Threat Level: Known bad

The file 0a7b9a3a120d129f53edd0c6fa2564b2 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader risepro smokeloader vidar zgrat 706 pub5 aspackv2 backdoor dropper evasion loader rat spyware stealer themida trojan

ZGRat

Detect ZGRat V1

SmokeLoader

RisePro

Vidar

NullMixer

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Reads user/profile data of web browsers

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 01:43

Reported

2023-12-30 14:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\b7816bfa03.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\d8209827f876d25.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe

"C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dc56b88fa7bd64.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0c1a94348.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe

72a3df5b6765f57.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\d8209827f876d25.exe

d8209827f876d25.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

38a72d1941.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

ae53a1dbd6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

0c1a94348.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

dc56b88fa7bd64.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe

2e80f89eab2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\b7816bfa03.exe

b7816bfa03.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ae53a1dbd6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 72a3df5b6765f57.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d8209827f876d25.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b7816bfa03.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 2e80f89eab2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 38a72d1941.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 940

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
RU 185.230.143.16:32115 tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.133.215:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
N/A 127.0.0.1:49253 tcp
N/A 127.0.0.1:49255 tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 35e5a114b616f1a28908e217264534f1
SHA1 9224ee0c70041127755d95fa9f4eb11af62cb156
SHA256 7745894238ab7c1860fbe77c5e39798064918b9de58c6fd0719a89cf8ec227c5
SHA512 d3ef70d37452634c2a9897034599f3c70b40f8bb7898d2d56a14c914759b23470581e6b73e63daa9daace3d41ca53afba8480e25aac6e123ca945ede83912866

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 21020d035d5bcb68959e3e914fc4fdb5
SHA1 5bffed55fdee4cc2519391db740009b3e4fca3f2
SHA256 afa58a2d995c99c3d49995c4ca07458257a91e39a7d65f779159eabb2a974611
SHA512 39ea966edb3590ae60c629c62b9171f4dad4cb8ae6f4aa0e03f19b27878a0b9cc27caea25dea5a526e90647b0661671119a9eccd4d48e6de7a4e4d395628fbc6

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 bc76a2e03c6a5ab41d1857de5a2a0c33
SHA1 8ddbb53790166619494df6cb1c913653ca74d2d5
SHA256 6334e8adb1a68134c1d3324e64afecaff6ac80035dd63813306c83ce51fae313
SHA512 d9b30e6c057211d5c55c228f0b98819ac994621f940a03bb60f2ba9dd97a6010301fb1473b0d7d9c9b9a346a0b8515a966515df0f12c9d1d9a7d8a11849b93c9

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 fe7f3282c974c5510dd33d5958d62d28
SHA1 ef1a49a6c03ca982c587d03707e3db1e21d9d1fb
SHA256 fb5d0220f42336f3a8654390201194a95ef99c6c3a2715acb2ab5a2b4e4e294b
SHA512 e3675234517d3c3077e2b0c7574c8ffe3aa1ce44a8acbcb67bf83921938ccf1820a78dd069396d3a8eff981297b9fe65ba0170248e94752cb3bec5ab75cf9b16

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 385c87de737e58ad2f17fc5aea7d7eec
SHA1 6e6edd866ffb50829f451d9cc56c722de2ace984
SHA256 2444bf40443ebf68141c3918434944502a4193fa01502423cb51649b35b0794d
SHA512 e8969927727fd45d0abc603d58ed853cfe213605f861fb9e2c9f57d8d7d9c5087434ab246bb2fbb6255bfc349a5762653bd598a73bbfc4d2ae6ebef18834cb68

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libwinpthread-1.dll

MD5 6a5c70f18d42cb74b5e2fa58a5f82b6d
SHA1 15fd17f36b1e1332eb4d2c0719891cabba1b52bb
SHA256 f86f4f180a06a6feda8a2af4580540f9428d844c73ef00e6f8257e51f23dd528
SHA512 f48b0b4265d7dccc26d168f209a4f0abede466ee366eb9ef8a18ce179ff5e6f5428d31e734ccf14414c625faf6bae9ba21556152b68eae93f946ae86e120e025

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libwinpthread-1.dll

MD5 bdcd5fc6cc3c911bfdd1e497e79b23b7
SHA1 1292cb78d30865f495b3d888b10cbe54827fa91c
SHA256 e3994727e582f1855138f979f68d19968284306982dab306fbcae41a49177401
SHA512 80446d47247d37bc85861a2df0aadc4bbf8ff352438bf60c25afe4d65fa12f77252148bfb5e84efc99f350751789fe1b83c98581184f7e6823a2013769ce30b7

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2696-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2696-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libstdc++-6.dll

MD5 d964bbad5218aa6b1e6b41ce69f791fa
SHA1 4cdde67d866599dada1ab95899f74a3b378bca61
SHA256 ff6fac090ec2455a663dd746a7a7624893f46c0619dfaabde4d4160d19fab8bb
SHA512 f8532fa7704c550913f43aeea95480d7bb1e92d240080547e8eb217ee6bc102b7d60c8f6ea50dd65b22f3c938a47065ea5855c94acddfa03f297cf7dbd105029

memory/2696-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-44-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2696-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 ff577f8089af48bdca903088b9890939
SHA1 9e61ee43267adc9ea0c9eaa8fad1224d6108eedf
SHA256 4eb6f567c6318fa80cb5e5e25533a5df8ef0d84fbad082f6f9b9720b687f99dd
SHA512 77fb7f339058e7f14ec1b8b5a88b15c5fd7833ebd5e9e8037c69be79c05252d298babf5894d7bd0c839e2ba6112275b0833589509f5064ae9dd3fa0117044ffa

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 336224395d311e835f6a5835e8460aae
SHA1 a9472d3c465cedb12fe1136baafe9662b4987b36
SHA256 76f742d67fb835bd51bb2e5785f65d44da2ecbec99f8712804e93e1af34a1c81
SHA512 e55b7d44b5fc18228afe71ec3e9fde4f69b72982525c109d159caca8928db9152e1f9fcc0cb6bf485f3d73272ebac59081225d47563b3ed22a15cdfd76b21b4a

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 07fbc68dcc4a5955dca64b9b2aadf412
SHA1 41a12cece82e5d9c7d7e214fd8efa3447df54139
SHA256 c1f339f1d876b34da7b4e77349b228dff3618cec75abc074bd116ca9719a3ca7
SHA512 c8d6027d25710ae34dbc74ee4053b94ac30a77a56fa01d775badad4c80750178e26aabb7e8d203f76a63bdaa445a4a033bd364abdeded5e4220df932cc17e383

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 c63d52c4202e5a199d7d7e6a28f608c6
SHA1 d6a7ca7dcbe5389324ef85b0c142d5987166f58e
SHA256 18b5602200fd5389d17d9953339269f3fb4e77f9e22d29614deaef6501ef05b0
SHA512 c89dc03287c43fe3933c2e27a997de247546b5491a8232308566e714cd557fbd6fdf30f95d67de1172b894cd46465e229d3c549b005b5541fb37c595f03a8fff

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\libstdc++-6.dll

MD5 e6cf51dee9a0f9a0e0cc92ed75dd1204
SHA1 178f6397f00e20838cb2e88b4106ea4bb98f4b14
SHA256 af175c6d487500df33e20db1ce8b57adddcc7444f0857b7393076730e3790d6c
SHA512 0541a9b7e34b924ca9f07d7f2c6aad46e89fea76e3ddc4418f620322f3c43d0f29d8db15430cd8856f69b1b304f5a1a35c10707881b33c14be177bcc935d79a7

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\b7816bfa03.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 107e8479b9b075529955daa861179e9c
SHA1 a0bff0d893941923ef46aa5e4fcaeabb83c1bed5
SHA256 aef3821f64c140926f1b0ac2ec24703a4cc7befff9b8cac5acb207b2d83bf500
SHA512 b851c44809cc54bbc51487c78c7b82bd96d337ff34166b53060db0fef54e5d27fb95971d0e65998a7089872c4bef40d414065912121bc92fbc5344e9006d5d5d

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 5f1e07296e2008c743901a953bd6441e
SHA1 ee4344abc7d40d5a9abc96901b2a60e517c751ff
SHA256 fe4ad494db2feb77740a9cd72fe3a49e0416eb72050ac8e5162076ab5ead1f2a
SHA512 310c66bf13336a673318694469b4a2e21f18447e4cb30255b2aa5bfb8644bac82a9b9a7d0b85b15b176752148e6de418e34c4562d73126e6265e9afe177587ce

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

MD5 830d7351f2d99ac63d20505076fcf402
SHA1 499efb2ffdf125faf041be07577aa3fe695e855c
SHA256 2708926eebdf3dc8c5eeddbf1bcd4c2de4c1ecd5bfdd1fae1d9c2e9efd42ed50
SHA512 52f60e68d5bd1a3dc0f093271ee946f4ca0604ab3b1032071faa3d9db5617ad54bf1ce42c4068d876453348a746e607a5f6ed7c3f5c75cfc02ce552f96dcc073

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

MD5 951d8fd7317225c1deed484a7ec87ca0
SHA1 833021fb1ca1a0fbcc269a96d2fb2fa665ddb01b
SHA256 a172abfdec9bf31d7cbfd43dae5b6f18a17661c1ded2965c9199703fae78b2a8
SHA512 883879999e17dca7b94348f57f06f8d02ea041288958a46c5a0d950f9e4750cf512549cbe79b71418280e8c5b717f5a2f9772c21301414e9663c2e3e278b4cae

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

MD5 eeea7855a5fac99d07d16a06f6d23bb4
SHA1 72af897b137c4b8b2e345a4b0a7cc2f62d4d9999
SHA256 8f62abf8913f21b08b313e7c396ea52f11db6c2859dc59e7a59ea22a5488e92c
SHA512 4d2951782447ad2f92cfeab7208ec9d05e71238d6a6902a0c703623e0f524b21fb14c4d925cf983fb8063b140edf8a4320156053f041d0941a2a3c2d46b8644c

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

MD5 17bd6908fc696e387d853510fad7b221
SHA1 4dcee07d42df82d704333d5fd10cac9e1715e7f9
SHA256 05d00d78701b0988849f7a448afac292abe2f417fcbad1e43bd31fa801c1805c
SHA512 86af62e74ee9299c4f2112d4c2b3b6d7c1720e27a7df0d1a5ad4403defd48900fe6f3e14c2d58aad02cc87934b6c0449b6a85152618eaf78d5c5a46b2134e0db

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\ae53a1dbd6.exe

MD5 34d0ca847835bf797663aa36f8a3e3a5
SHA1 f85c96f13031973ba2c12b3997de2bed686a6ea6
SHA256 4f307370d557bedbf05ea0efd728908ed1d516b39764d307a6f88b6366944752
SHA512 f7e1c459b60abfe67f09d0a963848cb69ee979686cb85af3d6f20b16fe544c3e0ce9cc51d361e9a38f51726f08df110212a6c27a4083d14594e6d06fb864ce20

memory/568-104-0x0000000001130000-0x0000000001138000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

MD5 48ab95a7e6715e79a4069915603178fc
SHA1 3a04177d4a428cc58cdbbcdf6865a5140241c295
SHA256 e30d51c11d4558e3d5488e075d07beb0c113acf92d33b598a819110040ff8a72
SHA512 2782b05d6e3f0462845fb31057223c41e9cf49286a04263bfe7cbc106323d1b39bb9a8a803835aa7f4bded6d211c9ccbbd475746df95e7eb81a51b64e88c562a

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe

MD5 f887975ff5a2a766f1082e090127ce6a
SHA1 f3fb02c8cd7299e6936ea2fe4d20f24acca7dfda
SHA256 b208db9e648a794294b6afd19cf9856ee1d7fa7b7882d58a9702cf65b6e21b09
SHA512 79f9228c41ab28b85c9e3f6a49bb54f896501ddf603ed28222d77390f61c88a9a923168d41ffd3b69f11c73de20b6b93eea8ae86a2bd8690daef78a2fee3fc3b

memory/2956-107-0x00000000008C0000-0x00000000008EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

MD5 7e7997d69abdb6aa5f55e5213972d42c
SHA1 633646a53a8f84f95e945a68fd3acb4a892599da
SHA256 f7249face2c7600ded3dcaadb89a1756bae430b1da22f50f4b5e626ac2881e78
SHA512 24827b6f31cfa541a8f1dccdff668df1f2d4c7953049a8c1a00a6c092981527e21a8b54e5b947ddfdfbe3314da329e20e79ede6693360163973778144b14be83

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

MD5 c1a86e6d0f26d91e61585a6a710663f4
SHA1 5858a12ddb703c1c1aac78415c2ad677184dccb1
SHA256 8d612e10e92229a507cf411d36a9581f8f286b8564d375793c003da63b94bbd4
SHA512 7594455bcfdab5d6284b455d5dfdf94d196c9a3a9d5097ca0b6487b6b7ccbe17c87dc14ac6428176a40e3a8bddb340588709a9da5dbe4698d9a29ea61a048bb4

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

MD5 302ce6bd9a4a1d61c0981fac6d65e53d
SHA1 6a61e60da8b95b94d6ad6caa219f22fa28dbcc7b
SHA256 0085dc0036f4728b75249e88f4c585594f699256c6bb88b34bfb198c915fb3dc
SHA512 42faec05b773a38853770fae63adbe54d28a350794670448b516b355d322e54c154f50672c426da6ff212e6865fdd8b18cb570ec1a6aae4b7929030ccdeae8df

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\38a72d1941.exe

MD5 a380a727814dedf02c39415277b085b4
SHA1 0a4be855a4b65aac59abc0481faf409e28e92450
SHA256 6e7b1b90f6f926a61686a0bdb43eb9059176e9b4a3a0c02fe16ec809db5bac35
SHA512 7f39c90b09d5e5488a18d191e1d445a461ceb7d137b4fc75f426e615ff2dadc2ca8703624f54aa019b38577b964dbf3f440e6c1727ce047772dff0740a2b246e

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\72a3df5b6765f57.exe

MD5 30edb58d36115c29f008c0b0f060000a
SHA1 d18ebee53cc807d534268b8b998de53ae965c31f
SHA256 56f5badd70bf3faa037af8fd5ecc13efe1ff4e7faaa55c8f27c17f785f42778e
SHA512 c09407664d66ff400cef4d0b89c1c06af731536e359543fc2cee0b407052329d44e9f3216ff8d95bd88c53196fb528ac78fc48126a9c88a7f65e2b11bf92631c

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 afa2e02bce1f7437baaf0308338cb88c
SHA1 26bd7d07809f9152e614a7389b2b63e55401f951
SHA256 68c9f9ea6877088b39bac83beed32a514fc5741eba9b9fc60de6d3439df90b4b
SHA512 53d9b4de499da37a8fca299e245bd5862650f29efdc8116369eb958e59dc7871850533fd1c607308ffbac39650a578e3586e8c5d98dfe575ae3c0b64abe41e6b

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\2e80f89eab2.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 54f95303753df56a3ee76a296a05d0ce
SHA1 ab5a3c8e87285d56d400b0832cc8afd0bf5b631a
SHA256 2a00263dc9cb7686504abbfb65e0a292e08660e21c5d43415af2c495d033d72c
SHA512 766bee8780812a404e9302d64128a97519dc7520e1f7515f500130afa323786ca4fc9737fb9b1ac289ed5e1714be295d890c19203d580c0ce2b258d53162b6f5

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 30e542fb14abee00f3b468ab8c49e59f
SHA1 d88269d3907f5ceecf9335cd1601e11ba8903581
SHA256 23749e926a9e835a2bfe90b52cbf91067f65f72f6470e025ff8bec6df4393e37
SHA512 1184566d96f5c356942b91210526a616dc4f18155b78b1ed3f35f0abbff751ed0e9c56051eaae3534d3669214a89c36fd74d730e8b41174c8305ed2e4cede071

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 408674d7964bc2d78b0835013c699dcd
SHA1 982f6672b2cdaa7ee8aa809b08008dca36731be4
SHA256 e0ea94f7707dd40019284a21f9f5057ce058ecf07a6eec24187d216a66b2730d
SHA512 42e67f4e025c55b9f97b39cff2dcff2bababc703bb08cd9a02b90bad83759ca2bf873f97ad666ac6b80346a8f43b3af9ff79a7eb57442b5b9ddbfc3203a2ba59

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 626224fa8a76d089283d2b168371a317
SHA1 82703fea462b36f9fb9c890816f47993148e770f
SHA256 60018928e4448cc4a3662310dda55a62f71c1c40457b958a95be497071975d8c
SHA512 860c7b7ef10fde196589a1e9c430d7fe443a046502cec88a21bc253f119006f91ef7a5f8fa44bbb5b4469ed446f2bb64d1bda4242305334fbefc2f3a03c25931

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\0c1a94348.exe

MD5 66a72ace9070b53cc52b36d0879d66ec
SHA1 fe1593d0cf25bab43af2406a7b430f5a0e3d4218
SHA256 78ed47c9acd71fec49c6fdde33ef12ccecc56f906a7dcf4aeb854f36b50a1c2a
SHA512 ea4e6c67d45289f3de489ff0501c25649343ca5d5c1d37796ee94ea9a28ef0bc9950f44c5d8006de90e3666f0eb906446a982765b9fc933f20a741ada0daec87

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 05d261ff3be3453d64a08acaf6fbe22f
SHA1 2e70efd9a37d54d5308c8775a41f80ee0aac38e8
SHA256 b1695783646e8703c69cbd2bfe1fdcda6d1c0e44b1768f64b202e67e94c16e5d
SHA512 e7a6e5d824589d03c80e8b4b79628aedec52ff60d7a65621da9b4ac8bba8632ca034fb7036dfdb6d954602219a07ee6601f5776e1745faf678e1af3309d78635

memory/2956-118-0x00000000004D0000-0x00000000004D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 0c2998f3032acae4cc910da35098e933
SHA1 21514dd9f54629338bf840380e7c38d5ed50497b
SHA256 d4f5127dd070e99c50a163ad9692b795f60d9ddd91e074cb2d764200016158d3
SHA512 01783d423c3a3d47cb54add9febdf51e5e786bfd18fa7a4a0b7b24155643df6e563b92cafe20e01c2ae5b615a400d8674a86a2c5052e16bd06a3b053a69dd359

memory/2004-119-0x0000000000F90000-0x00000000017B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\d8209827f876d25.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

memory/2956-120-0x0000000000500000-0x0000000000522000-memory.dmp

memory/2956-121-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/568-122-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 71cb30572855872ef534d854920faab8
SHA1 20c01e256f5c766dfe1adcc5aa6cc950b67fd130
SHA256 fdc415c8e8cdce31fd24fed23d3fa217723abef855b52f766964696923eb466f
SHA512 765562dc2493989a3dbeafaa9c773bff85a7142bbf7970caf9955e50a50351b9a53b87bb788a103ff9703e873d4fb623e7037c7a6c0165657c732880376f5b9d

memory/2004-124-0x0000000000F90000-0x00000000017B6000-memory.dmp

memory/2956-123-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 638253a67f18c0de8b235502ccacd8d1
SHA1 e0d63353ffb9d9ceb74a9475a5fe02d2f41ef13c
SHA256 95cbcac0b42bea66a1e53124491caf9cb4e8a1bf4fd0db72068671013b01bf59
SHA512 684a04073f65bbc5d51e4110c5c0e77cc3c3c20dc441c056f0440c9c93f6e842139ed911a8b6c691dbc10ffe8a40b08dfdb6b36e34323cad0bb1384160bc1344

memory/2004-125-0x00000000017C0000-0x0000000001FE6000-memory.dmp

memory/2980-136-0x0000000004DB0000-0x0000000004E4D000-memory.dmp

memory/2980-128-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2004-127-0x00000000772B0000-0x00000000772B2000-memory.dmp

memory/2004-126-0x00000000017C0000-0x0000000001FE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7207.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar7229.tmp

MD5 fa527dcd6b5eb05e72fc51570a2a6608
SHA1 3380c5ef74408265fba2f67e790636d0ad0a51cc
SHA256 4dc7a4a6cb3be2c334a27a49df89f18f8f91749fe6aa1cf28d548e0e0c75ce3d
SHA512 05c0e217c433949cab210102a26ca7f6a765515b228b217e25c7409408fc167b5a59a8494e1181284e9ec72849c90288f3a066faa284e29d871097ec76291a5a

memory/2980-164-0x0000000000400000-0x000000000334B000-memory.dmp

memory/1888-167-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1888-166-0x00000000033C0000-0x00000000034C0000-memory.dmp

memory/568-165-0x000000001B230000-0x000000001B2B0000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 d9c866c1c1ad091683e8aad2bdfdf624
SHA1 e30fb7842b8a076f1ddf3fe816d30f467a7fae8e
SHA256 09320880c4c11129010726633c4048a9be330c9a8b52bf02632073f6c7db7696
SHA512 a7541bfb68dcc137ee05d9499bcf36b079ef9f7f64cbc906e228eb64ff6cca94a838a52941b907aafa5680498bf55a67606cde97086242ba4a10a1e6a0697bf1

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 79e6beb60b4627739fc23c89484618f5
SHA1 9a829aa491305ae680f531b49858ad0113e77c34
SHA256 d620980062d66fe029d48a5a2a7d1199500c85fa851213b4cd3da36ad34523f7
SHA512 cb9f37d9288a56e3b3faa5b5327173052dc400ee6f348d77ef0a39e349ffb05fb5dbada8d00c40ea0d10942b780ddf65d43afeb860b72cc4c062f72bac8d9b81

memory/2956-172-0x000000001AB50000-0x000000001ABD0000-memory.dmp

memory/1888-171-0x0000000000400000-0x00000000032F7000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 51aaa6d0db93ed95d293606b703596d8
SHA1 e6fab51c9276492662e73ee9dcc00f302430ea78
SHA256 871f7da600cbeaea91b493f438ebb859d8e13fcfcbd622ce4ee6279a6c1ec1cf
SHA512 f317e15f7b2c70640efb353a432944276d6bebea760815d7917f8fc9918e330c28858dff66f92239706df981be325893b0334d4d4f33ef01aa6bc9f994a0118c

memory/2736-173-0x00000000020E0000-0x0000000002906000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\setup_install.exe

MD5 fab704c3862974f85fea8a3062748251
SHA1 84ec57f3fdb81feca3cfd49a44724299e5cf0576
SHA256 334dac5b4b57a915baf7443399b6d043de7341031f36d8f161dafb5f4172babe
SHA512 b22395be717105320099f636d5f80b0ee11fb68b1a6b0fee45904bf8d8aab5e06909ef8bc3b6733db9115c9e0b4894a6fbae7b3e0d51023bb0c8da8eb832ddec

memory/1248-175-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 496d18ee0da2ad5b1f9b1f933ad5d7ca
SHA1 aa1f5afd977985948576a893d5ae761de82b407b
SHA256 7b75c6218f4345e78297dd3977040ca8567fbf0c3d5d9b6b1771aeed102bfb2f
SHA512 398388f1cdd4826038d028a5e6c62eb44a726123901fd58de9df5cbfc38f7fb8394d4104748681dca44f8585781bd219d93f04cff65c2a97b025d72150abb772

memory/1888-176-0x0000000000400000-0x00000000032F7000-memory.dmp

memory/2696-210-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-209-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2696-207-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-208-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-206-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2696-205-0x0000000000400000-0x0000000000C7F000-memory.dmp

memory/2980-220-0x0000000000400000-0x000000000334B000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59B6C76\dc56b88fa7bd64.exe

MD5 2b3b5b912bb7d5d7b0cc328240d8524a
SHA1 39a2180df43eda4ad683b12f14c6f0d0af1e911a
SHA256 c12ff20679f5a6e349900bab6793dd21011bce31067a2bb321c022a0df3faccf
SHA512 3301a0a9376ae1e6d94badc9f37bd5ca95513fc83e951eafdc1157c0218ebf522fa6315bbef8bea3177b0e7e5b3951596ee64118a2f3d3cac472840fead44742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c71e571b5f5673ef54156b0ae49d244
SHA1 59ad775359f1861eecd93d860450650c600c6ba6
SHA256 fa5be67bfd817d964a3855436e6b468a75599f13bdf38cff9c4ab612c5c9bcef
SHA512 ac36580713431932d3cc2ab1d242c0ded589efcf9525d7d617c9585784c3883376a5170faf805daa8f9f6d9941a348d6b7a8db8190c906c4bec6365fbd5380a0

C:\Users\Admin\AppData\Roaming\jcdsguj

MD5 b92770cf1b08a5a3187eae94d09c0cdb
SHA1 837cb5b6c195967e22b8b4558b50f95c1fc7380a
SHA256 02b0ee35bffb2f8c80e50599d2f0ca3c8aedc56ec6c37dbc324e404a4d53e1fd
SHA512 40e93e7427558b7ba8b3930771f9d8f906627b7b84419c28e36d9f50548b500ce580c7bf9c08f584088415aa314c835e0b1f82c58d15d22d06c29be41cab37a3

memory/568-324-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

memory/2956-344-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

memory/2004-350-0x0000000000F90000-0x00000000017B6000-memory.dmp

memory/2004-351-0x00000000017C0000-0x0000000001FE6000-memory.dmp

memory/2980-352-0x0000000000300000-0x0000000000400000-memory.dmp

memory/568-353-0x000000001B230000-0x000000001B2B0000-memory.dmp

memory/2736-356-0x00000000020E0000-0x0000000002906000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 01:43

Reported

2023-12-30 14:21

Platform

win10v2004-20231215-en

Max time kernel

38s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\backgroundTaskHost.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\backgroundTaskHost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\backgroundTaskHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\b7816bfa03.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe
PID 1972 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe
PID 1972 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe
PID 3884 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1872 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1872 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4952 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe
PID 4952 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe
PID 2560 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe
PID 2560 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe
PID 2560 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe
PID 4840 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe
PID 4840 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe
PID 4840 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe
PID 4588 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe
PID 4588 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe
PID 4588 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe
PID 1592 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\d8209827f876d25.exe
PID 1592 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\d8209827f876d25.exe
PID 1932 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\b7816bfa03.exe
PID 1932 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\b7816bfa03.exe
PID 5084 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe
PID 5084 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe
PID 5084 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe
PID 2708 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe
PID 2708 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe
PID 2708 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe

"C:\Users\Admin\AppData\Local\Temp\0a7b9a3a120d129f53edd0c6fa2564b2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0c1a94348.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ae53a1dbd6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 72a3df5b6765f57.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d8209827f876d25.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b7816bfa03.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dc56b88fa7bd64.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 2e80f89eab2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 38a72d1941.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe

38a72d1941.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3884 -ip 3884

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe

ae53a1dbd6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe

dc56b88fa7bd64.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe

72a3df5b6765f57.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe

2e80f89eab2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\b7816bfa03.exe

b7816bfa03.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\d8209827f876d25.exe

d8209827f876d25.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\0c1a94348.exe

0c1a94348.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe" -a

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Roaming\ehsigcj

C:\Users\Admin\AppData\Roaming\ehsigcj

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 s.lletlee.com udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:49600 tcp
N/A 127.0.0.1:49604 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
RU 185.230.143.16:32115 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe

MD5 30dd6a1c785c32523047663952d1e13d
SHA1 ade55eaa7ca9781e5536f776ec104e10f344d7a5
SHA256 cf3d67165005cc488a7c5d2c2511ae5aff92ac4388e7fc6bc73060af112ce9d0
SHA512 aa6def357ef9d233ed290bafc46036468bb82db0800085798674a2b74e3923f427ff5ab04c8bfa031ac8d15e98f356201400e30636fda453cb0ff2a3e1f1f516

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe

MD5 69e9a20efc45f47bd0c646c7b79746eb
SHA1 a770f4f9d6b0a311852198c8ae873b0cf899b8af
SHA256 590cb3af3cdf8128482a550c5e91c2d0adfc7be7f95e2d6e3644de9251460b44
SHA512 e0980c11c02ccbcc91f5f876e5b65b3663a0497f312a368a4e68be48784fcf250f1504cffbbccebae66175c8fb603133a21de3b986dcd15654337e1468b2abf0

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\setup_install.exe

MD5 2175658e1fcec76a17af6bae6b89d693
SHA1 1f2da5edc28b70734dca5a7b563d4251a2b881cd
SHA256 407a0d64733bae9130f9530ee3a64df6f9e163efb3472d3b857007f82f71c91d
SHA512 82aaa490979193d947f05a786a1853d2eea36a322b83c16fc565bde778aebbd97e9b96be0e5eb652b9e253e5ed47aa8e0586df42344cb9c063daa74ccd99ec13

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/3884-25-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3884-29-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3884-30-0x0000000000F10000-0x0000000000F9F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3884-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-35-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3884-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3884-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3884-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3884-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3884-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\0c1a94348.exe

MD5 a508b5d5aa6d99b8c3d838e8ddfa2094
SHA1 9dd372c7b65f4b95a7f5fe1bc8a86417eaa5223a
SHA256 6978e86b3708438492944ecfa2fb06001c0372905fa1f820d145437546a2dc70
SHA512 2383cb732a895b34b0a36259ec550b2a62c4cda138127845744935fca74228525024d6153b3d244fb60443663d08276c8e63fde0bd6f237340828e27b2478068

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe

MD5 0c42958395907fb667234e10bdeb3b13
SHA1 1af2dbdb57669e979effb1779db88c76ada28692
SHA256 66c668f22e3a7a6e3a33f234a8964385989b5fbb4730e0e5bed56fd65cccb813
SHA512 da403190df53f757ca16ec6e3e5f5ee682053abf66a76f52ffc62476876b25f9ffe4ca9535c6b7cf7fc6f32d9913ed12cc7ee72dc99749e1fcdfa755e2ee6fce

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe

MD5 bbb4bf1874c6aa848fed02937d6fdfed
SHA1 0c2448d8ee34cabadb2cda9645ff1f357f0cbc6b
SHA256 995fadfd5fda48492e08b3377e91578fc2d52127d530aacda18c463a20c6373f
SHA512 5c607d29eb241a181fb76c4ebe38d8bd8a328f02f39d2e1e68615d2d7a238a4ea19d4b34643042343c0448facf1180a5053bd424a3a61f74f17aecbe0450744a

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe

MD5 ea851f7d3444c4ff1039e6bbe8d74c11
SHA1 953d9c05d4dc8a91dd47328d8ddd5a9cb5b8c2f0
SHA256 4de84c3c90d688e3a9f69d49e5cad4167a40aa4c98f29d35b36da770c43b8e3e
SHA512 e407accc4dd032bf354a309f6e860b921083c222c8304bab0057230cfeaa3ed959c45b8bf663109c7cb9f485644121fb35d66da00f0a0ccd2aea0806c66a1db0

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe

MD5 249f4b4a357ca5315c51a6365976490a
SHA1 61e01fc35dbcf5818904072f2622806959c14dd1
SHA256 b45ef323a3878ae53aaed179e40c321b3dfe81cd88129f1168911ded606e345b
SHA512 cdd2c0a2597be7b6be42d7ba6813af7a046b5fb486620016b74e08146d65c25cb50565913c888b0ac456479f2c3ba513d26e2004ed25cd4519c9a0993daf376f

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\b7816bfa03.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\ae53a1dbd6.exe

MD5 22059847d8fa60fe8eabba11d3bac0f8
SHA1 151a609099722f3d78b9769a604a882aa9b44f37
SHA256 5974ae44f8a95fc4c81775aa6c6ae31eaff5be20ee9a06c3e322d9393898c329
SHA512 3f1f27fbeb7f42f4acce5f71964925591d72d8135abd2077e8623f3e53b598633b4d9612ba3e65207623d260da918d009a90e46f6da3daad33511490e8ba9e34

memory/4792-84-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\72a3df5b6765f57.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\38a72d1941.exe

MD5 6269626f2a26c49e1ddc4cc4266ad3c2
SHA1 e9c4590dcc81c47066b830b03dbfb3b296e02a85
SHA256 2aa8d4e4862b3aaa1b418b0457fd9d96aa5b28f7792962ece5a010f357e51839
SHA512 d2be3f80345dbfc02696edb3c9b5213c1e2201100a3c2f013eedb1aa74c272d0cdde00518523f9071b58efadfe34ee474f1d8015805b26ce97511e318a22843d

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\d8209827f876d25.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

memory/3012-87-0x0000000000370000-0x0000000000B96000-memory.dmp

memory/3884-89-0x0000000000400000-0x0000000000C7F000-memory.dmp

memory/3884-91-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3884-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3884-93-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3588-90-0x00000000009E0000-0x0000000000A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\dc56b88fa7bd64.exe

MD5 fcce864840d6700d71a8d68668d7a538
SHA1 fef82b13a6565e5da4eaf24ce6566c513c6a58fd
SHA256 0d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
SHA512 3f01d5cd486b3394c46896f0d2c9eed1e6e1825c15e729ab357105d562fc0b73e7a7ab69f56107ae3e6941acff5dec43c3bbdda023909723c47547ea2d51d740

C:\Users\Admin\AppData\Local\Temp\7zS4B76ABB7\2e80f89eab2.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

memory/3884-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3588-95-0x00000000011A0000-0x00000000011A6000-memory.dmp

memory/3884-97-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4792-99-0x00007FFCADD60000-0x00007FFCAE821000-memory.dmp

memory/4792-100-0x000000001B870000-0x000000001B880000-memory.dmp

memory/3012-102-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-101-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-103-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-104-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-106-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-107-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-105-0x0000000076450000-0x0000000076540000-memory.dmp

memory/1324-110-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3164-111-0x0000000003420000-0x00000000034BD000-memory.dmp

memory/3012-109-0x0000000077304000-0x0000000077306000-memory.dmp

memory/3588-112-0x00007FFCADD60000-0x00007FFCAE821000-memory.dmp

memory/1324-113-0x0000000003510000-0x0000000003610000-memory.dmp

memory/3164-114-0x00000000034F0000-0x00000000035F0000-memory.dmp

memory/3012-108-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3588-115-0x00000000011B0000-0x00000000011D2000-memory.dmp

memory/3588-117-0x00000000011E0000-0x00000000011E6000-memory.dmp

memory/3012-118-0x0000000000370000-0x0000000000B96000-memory.dmp

memory/1324-119-0x0000000000400000-0x00000000032F7000-memory.dmp

memory/3012-120-0x0000000005C50000-0x0000000006268000-memory.dmp

memory/3012-121-0x0000000005500000-0x0000000005512000-memory.dmp

memory/3012-122-0x0000000005560000-0x000000000559C000-memory.dmp

memory/3164-123-0x0000000000400000-0x000000000334B000-memory.dmp

memory/3588-124-0x000000001B5F0000-0x000000001B600000-memory.dmp

memory/3884-126-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3884-127-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3012-129-0x0000000005770000-0x00000000057BC000-memory.dmp

memory/3884-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3884-131-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3884-128-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3012-132-0x0000000005910000-0x0000000005A1A000-memory.dmp

memory/3376-133-0x0000000002D10000-0x0000000002D26000-memory.dmp

memory/1324-135-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3164-138-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/3164-137-0x0000000003420000-0x00000000034BD000-memory.dmp

memory/3012-140-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-139-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-145-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-146-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-147-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-144-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-143-0x0000000076450000-0x0000000076540000-memory.dmp

memory/3012-142-0x0000000076450000-0x0000000076540000-memory.dmp

memory/4792-141-0x000000001B870000-0x000000001B880000-memory.dmp

C:\Users\Admin\AppData\Roaming\ehsigcj

MD5 a1fa37e471a48f7c3f3e2b151f60a650
SHA1 7766f3bd7261e3b78fa4a30d5ebce18ff3f8f29a
SHA256 ed5985f6d710c502c8614486ae37d3e08fd4897dae51d1d7e090ae1068e3da95
SHA512 772370bf44b9ce2f6523917435493b0fdf4b9c08d4a58f68b460897d66f8f386158b3081fd85b8b79b8afb684390ca537fe13c8b2d7cf7c57f2438711293d2f0

C:\Users\Admin\AppData\Roaming\ehsigcj

MD5 9a18ee63c220f10953626fbd990a0c9f
SHA1 c9b7929d80ab571f381083252463d29fd8281d8f
SHA256 77a380a82f5e19f033940eb213434a0a739fd683289fe41a33d9ed2702b7eb20
SHA512 1f5ef80da5a00987a3b687ddab56f2ce2be07c786fd0aff09baf28f7bb5927f8311b67f279b6a94d8f08178a4dffc709129cc423fe4144c9a59093bd0b361557

C:\Users\Admin\AppData\Roaming\ehsigcj

MD5 d94e351ac62153e4631717e8e9eb8929
SHA1 507272debc80dfc4581d23fd6f779466d5f5bafd
SHA256 7652007392c2b84ce2c89224ed050ae1d6440f1bc9fecbc17feeb9a90eec59de
SHA512 e0ead56165cd10cbefed78cd5cef72d96cb690cb59b66cbf0f701c183c006476ecc17a6f7dc8e5a92b255a83ae2db0137402becc7559e46457698d2691cb998e

memory/888-156-0x0000000003510000-0x0000000003610000-memory.dmp

memory/888-157-0x0000000000400000-0x00000000032F7000-memory.dmp

memory/3376-158-0x00000000010C0000-0x00000000010D6000-memory.dmp

memory/888-159-0x0000000000400000-0x00000000032F7000-memory.dmp