Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-cfv52sbbck
Target 23b9f735f8bb2607ae05fec9b71dee60
SHA256 0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
Tags
nullmixer privateloader risepro smokeloader zgrat pub6 aspackv2 backdoor dropper evasion loader rat spyware stealer themida trojan vidar 706
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68

Threat Level: Known bad

The file 23b9f735f8bb2607ae05fec9b71dee60 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader risepro smokeloader zgrat pub6 aspackv2 backdoor dropper evasion loader rat spyware stealer themida trojan vidar 706

Vidar

ZGRat

NullMixer

PrivateLoader

SmokeLoader

Detect ZGRat V1

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

ASPack v2.12-2.42

Themida packer

Loads dropped DLL

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 02:01

Reported

2024-01-01 21:21

Platform

win7-20231215-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\6e6c48dd68bf93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2460 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 1420 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe

"C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c aeede9411b71dc1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\6e6c48dd68bf93.exe

6e6c48dd68bf93.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe

ff5062b298561564.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

aeede9411b71dc1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

d5ed2ea795609.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 428

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe

60915a1172471a6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

643ed1025.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe

d51ca42487e4978.exe

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\36513cfafe7.exe

36513cfafe7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5ed2ea795609.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d51ca42487e4978.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 60915a1172471a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 36513cfafe7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 643ed1025.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6e6c48dd68bf93.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ff5062b298561564.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME22.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {F003F000-562E-48F4-97F2-78A95CD4A28C} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\ciddbca

C:\Users\Admin\AppData\Roaming\ciddbca

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 aucmoney.com udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 www.maxmind.com udp
RU 185.230.143.16:32115 tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49261 tcp
N/A 127.0.0.1:49263 tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.5.208:80 wfsdragon.ru tcp
RU 185.230.143.16:32115 tcp
NL 212.193.30.115:80 tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 619d77855145f328b32bd87c8df6036d
SHA1 d62d98f370bae64cfcd2a8e949ea6309b20c9799
SHA256 e7f759d22ba2bccad6391e7e0c218a14583840fcb1c9070450966ba778022f47
SHA512 b9416c2e91ba8c80498b3a5cba99c507939810bd4ab27739690e4472f3f789eadd53b076959570d84f5bb2ce33f93c58574ce424349063ecfe922c35bce82d5e

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5f48c802595aeb3a610c55ec43252b3a
SHA1 d02fabe9babe9d4b9b0521aaa006948745d6b38a
SHA256 6a2ba176db47340d33c11fa2c7a087a50c8134ee4114e7df0356fa75b4f4c9bd
SHA512 16e949fbe0f10e222f4215232a134346e273760954260d7ea9614764106494016c8fdbb81080a11f7f8bd32502f182c0ea515f2edca080efb1692d8cc6bf5d18

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 cad52ff2c62dfc3416fa007d448d6d9c
SHA1 689956df28e63648a547b556e6de15075f75227d
SHA256 a2fb98138b5143e47e9dd56aa179c2d4564c0912884bddf733bef764d3172817
SHA512 ad8345665fa1bde07694941a2a70307537b453d2b2640783785c0647523177f802c83dcb22f065c6190f1f551885fbde84871a6d4313f2176503d0f3c4567592

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 931eb7070dac1df01573dd2f23083aaa
SHA1 ae6518ba16897fc48daac4ac0f238aaa609b72f1
SHA256 c67ecd350f4a7835a6dc6240d518c37099f1438ca90725c6cc46efb5fd6e589a
SHA512 737e84da98a20f550fafb5e09777c788f26e9b3d0ca82f7f8d06c6e89ac3002b2b86bc7e99a598d3cd3b71d4938e7aeea98d6bc3462f931f073bf5bc8dd1ec74

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 507acb997895041f07a6a9c80154f5e0
SHA1 4e8f6cec7e2007a4a8bfa82ddc71811c5b06177f
SHA256 4b1f5d84709e8d0903ced213c0f5e79506a3cda51087ca367b40b6926d195b84
SHA512 3d763aad227dddb9d03940869fdeb7255d8aa3a40f9d1a62b062bba55490a31348f7f05e4b50453c5b856ee1068f9dee9d111c054d67f55bdb46a31c4984cbc8

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 62f98af0c33f740adc6b8d666e42010b
SHA1 3646b2bcb755b9b8e135c046b4cb11a1e9a4ae0b
SHA256 c0bc7aa608a398bd6b8db3f66dd6043c974451645defd1143285f1533a42e4b7
SHA512 428021513e2e47f703a122c74a9ff2bd20e68c572773f6ae8b76e048f194ef81bab08357fd138feead95d03abb5a98f15074fc2c7be678cd447aa2a04e73039d

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 b4610bb00a5980cbcde67db52c04160f
SHA1 293b56e5a4c47c1b113435d6da2d71a96f18e89b
SHA256 25fe5b8f1ef8b1303e2e350a798b8c7147b924ddac9a63d3873e51332d5363f6
SHA512 c4e13da87737db33509fa4a0aebb9ef367d1944e4ae4525780153d9de6c51191be38c4fe36bf83a5d3c931919ed84c64418178bb608a2e3fdd7c3e21dbbe6f28

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 98628c1cc3536c3bb4b51c11418a8096
SHA1 2405ca67d664ca78a18a93620ca3da99de43e1f4
SHA256 53b93e5eba1b51da19f0a4a37a57ca0da0f529f246ec13f99427a2704228d1fb
SHA512 ea301a30f0fdb80e9024868e70af3c31face167751e85ac8f926ca6611f7db4d3a17082d0a0f2548f517d130e56a29401d9edfcd2cae7ed705046b5116692f5b

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 1749adb3c57bb0d113d2e7a8bcb27feb
SHA1 26d69a2834a854ac4f9a9ce6a64dac734e07f5a6
SHA256 e1fe91029d7bb0d7b1b6778d4bd1467967060792ad744f3afeea02068f1ec830
SHA512 94501d9359ae1b8ffe1c6733fda399bb1b7b37056416f25ba6f68c7ac1c9fe6385e128ac763947bb56c3d7d6590ee158ebd87d62b4f8600c0c8fd1e8960cd415

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 6da0aaf110638c7b3e78b74275b2f3b6
SHA1 ab5f833e8784b4546d9d78234697d471c17ad79b
SHA256 32123a9bde89b0748692e1ddf581d7709c182275ff0de25b1daa219452a7912f
SHA512 bf5c9e74567f44f3d5af78019ad6341bcb7da760541c5d4d0f48c165b88cce0e4809b78b990eab871b361561357d1c4e174baad0c39020f44f842c80ad24e826

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 849e4b792ef0ca0d09a002f285a6bf20
SHA1 77fd796a773369d5f589011688cfcad063609291
SHA256 6161f920bffd4cc575a0e6d431257495d0e70d49bfc9fe85e0218a3941ef7b44
SHA512 25edf0dfc0d3ce621295ab108127cc9778d4078f21027526da0f102f2719a586a01eb322872ccd403099728a8a680ee5b971936904c37465c6657d5d2e416783

memory/2868-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC850D246\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC850D246\libcurl.dll

MD5 241c534c2b1e11fb4fd32c157ae7aa73
SHA1 b7569853eedb6f0a0604529bb2082f6539655d59
SHA256 233a3b9c42ee7dca4e7e5235cd4fbca08699cdcf0ef4e9027b7fc3372a3539a6
SHA512 3052eab444d2ebca4e8ad02f4953ea98c336bf8ade9a2050f1bcddf5fe38c27498a19321a4f712d8e2ed140c4150ba9efccebfd7dd37ed24749398cc9e2ae40c

memory/2868-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC850D246\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\libgcc_s_dw2-1.dll

MD5 2aa7668cbdd8380081b758a689a3d790
SHA1 68e7437781d87aa1dbd98a5d365a946ca664e828
SHA256 a1da34141875b2255221b408edef04ce9d4d0ec9183a04d97a52f1ca2cd7328b
SHA512 3c79cab628f32ab2b004d7b46289ab7d0af65901814070e10e683768207d825b26bb42c2dd537da45f1887fab2c4d2fd23d1b2d0f69629f2fd80461b1e86b104

\Users\Admin\AppData\Local\Temp\7zSC850D246\libstdc++-6.dll

MD5 1895baf50c391ff4a69326472864f69e
SHA1 fc91b8914198b51327e22c1e68ec6b804adc9da4
SHA256 8b112eb0a7425b47094ec25742a73b616f4f3f95b0fb6c4c76000f6033654150
SHA512 67324dc22a434f7385f4295098d3102b05d0b822bcca11aaaf159014ab39bf34fdec20b457d64916aedb6ba461f3b563bac70656bf081cc626166fdb99e3a236

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 6144fa490b2aeeb4e4bf3077df9f8959
SHA1 53abc83cdfa79b2ff01e09ec524ac516b670495a
SHA256 360bc382eb582a1508dfca5f151df31df69daac6ae0c8ef9384861d1b288313d
SHA512 9c6b09dd97110790f80395f58e98a77ad7fc3c95ee79343200ef52cdb551714015f47e9ff69fd47a609a6334c479db2cac30f12e233988c71c93bae845e58159

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 5da94bc37acfea97d0dcc1ef95107c24
SHA1 5408d3dced4543b5550300d57a06883d70580026
SHA256 f57899ca752707254498e9c500e44a698fffbf8570acf3cc245bae953df0a530
SHA512 e11663d3bfb109aca64650e9e55259f682b0e66af80c46579ed6583b91ab2f13844e975f96f8f98141a054440c47aa644a95d563981147a516bac4ee93d828a6

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\libstdc++-6.dll

MD5 d4669b9ee40ca157051a31f64e229e68
SHA1 2eee0648f50f6ac78765231b4f1a79ab3d30a898
SHA256 c2b5cc9ced37cd43b8a3f208f11c5453dc6b2c879a11da03f20a94463e3f6654
SHA512 2a172cba77ccb3ed3856666e352496b014ac23e9a754cb1b017fff5883b8641d691097bd5174c7c0c948ba5c5df346be556d1a533d77a5d1b336edf328d715fa

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\libcurl.dll

MD5 86a1223c8d47ca0973af4a5b822c8548
SHA1 26a51888ceecadb6a77b52581edcaaf51521c858
SHA256 fc9c43c23439cdf9ee4753392f80c45a8fc4ae6ac3963303a84bacf31702c22d
SHA512 faf9524a82a926b39179746f1b8392c22f46136c2c7d389b250dfe08b77a41ec8bdf55ea461b915089ec0e67c24610c95a7e8c863c87765702e134f60de14b86

memory/2868-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-56-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2868-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2868-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 66ec7f7e09fd08c7e1a7a17465acd3b3
SHA1 318d4192fbec9196359b9163a26ed9d776f5f192
SHA256 863c8147355ad745d5278649b23709d8bac04068dd4b42eabb42d5cea21a6721
SHA512 47ae583f3a2094f6ea3f4362e92423bc0aeb6f244080b78fbbd6009edfeea83b6d09342719ac821c58c55f248740260b81f996d76be7e63996bc10fd447813c0

\Users\Admin\AppData\Local\Temp\7zSC850D246\setup_install.exe

MD5 cf2712eee9a5c57917a6fca74d7dadf4
SHA1 8504d381111de874844dfb80aa38bf7f6741620f
SHA256 9bf016eaf7f0da09a5d93722c5f1306a51a067587cfa3a653f8e4488efdbe7ac
SHA512 79acc440dee9fa78ad3935cf0bd625d0cf7580de87dad17b501d77eaf02dd0b1db5341be9903662ce4bf518031299b6d48dad27e2b7c4b1213ee3a84fc3bdbe5

\Users\Admin\AppData\Local\Temp\7zSC850D246\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\6e6c48dd68bf93.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

MD5 aee6c97f1b5ab87361901a37f0c02293
SHA1 e6b6c96507fcb6985a3ac012300d261fe445d421
SHA256 bae27765641de10e57db42c0a9271b1018a39ec87b1842d66b2d5ae2e9c76e54
SHA512 a438ffcde17643db9c3547b9a960d0ddb2834c9f27220d1240ac3b7ea9018fefa062642e661aeb4ebef72de09b48567275f03904e5aa67432af99de82bf29dfa

\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 62760d3bce9c3354400f3a395aa77e8e
SHA1 bf4b7153df36b8f9db20290628981245d4259495
SHA256 4b5d90cd0b6795475f485d3849595459e86b3e4d6461c889b7cd9cbd1897cd77
SHA512 96ef209c28ecc7c47df258f3bab9666379facd022546d5c6ab30da9fde92b184374bb1d1f9102fa8dcd7e10f328fe63030e72cb8ced59c92f274f25fe24cf047

\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 843009a5333563e96f9c471ee0702526
SHA1 34477890810d792539f434fae80b9e5c3029c3a2
SHA256 edc7100545ff376ccf87b9982536bc825c320b2b9a927e874b027a2a7fedeb24
SHA512 0f9161acc795c761413b9e872f2ca665748f594e9a3afc443f117e7849f6fde913c327f97ac28b51611300f5a6a32caf7bd241efa4b3fd0e0d9b4314e6c5cc2e

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe

MD5 466836dfe2b60f3a424e1793ea0bf372
SHA1 de808948c8d7cb5e0abaf4bef4edf2f71d77ed84
SHA256 5b3ca08448ba0ec947e4129b7ee878a47e471b6f55f297712bf0cecaa747b847
SHA512 92e4e010edea6b0913592abcb775fcf377d0f3d7854ee7f38dbb81f239c4d96827e1cc87a0cb3ff0665272f1c7123a0414ba06a91a800b8c11b9895bb30db9f2

\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 fba46ffb83365cc5da246cb19a8b370d
SHA1 e7424d4bf1e8e3373164fac39d3779ba7004bd82
SHA256 677e578725a3b8778c38709c329682906e24c9e2871aa322f5421f548854b331
SHA512 d82b4c23fe2d1ee50a20d2634dd8a45a868fa87eb05a83818e2112a6fb223966b957cefe3fb0f59ee53438f0fb4f2a5dbf57c203b9c3c45cde291c425197531e

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 b55d85ca922189b4386dff8e3e4fbc01
SHA1 ea1bcd7d6568fa254d2c52e3577e29597690c995
SHA256 1f7c1c565ebbf2febdbeeacab7786a8243b1686475cf47b7a4454e1e6fe6f01e
SHA512 1273327fc46d92b5c76234e98db205e4d6afa829a0a948827338afafb7d0fd6048e2ba87450ae96ee3181a7e3bffb225a93aaf260b792668d38954451ca3b579

\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 466dc2ea06f38157b3f085b878fe3584
SHA1 105594191c34e7b6e93a10c19041f2590c43374c
SHA256 d285a1554322885455e3085c48b4cf5aabc17292bfbb84d871daddeab7350eb4
SHA512 bb1f9669da26191670a8182709371944ac8dbcb21267014c9bd3ecd58dd53086ed502bd13f0c6bd37a58a5ef61ed34301431eaf7ed28ed5a71737c63453f8e47

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d5ed2ea795609.exe

MD5 dc10579e44d7864165b198a23d3ab405
SHA1 330ccece1a1e53428c5dd127a2cb3a58c614d5e9
SHA256 fb1e79f90f57fa307627c7ef8d438d6e5ffaa3a5b459dcfb059c784341c94c66
SHA512 3a1ccaeaa2bd02459f5df9f5c20c229f930ccc14659143e6610b2d2f22728ba9a578e308c5e54305e0f2fbc1ff605c5a33338272263dc0998589dc69155bc8b2

memory/2812-118-0x0000000002210000-0x0000000002A36000-memory.dmp

memory/2900-117-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/1232-124-0x0000000001A40000-0x0000000002266000-memory.dmp

memory/1232-127-0x0000000001A40000-0x0000000002266000-memory.dmp

memory/820-123-0x0000000001070000-0x000000000109E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

MD5 1864280873f5c9c172f913852e715ad0
SHA1 a9ad0f875e9ca87a0339e3a74fafe1636fa4a208
SHA256 a440a272a8fc2f6be3c80432c5924ab75c2723c68380f79a0bc5914364c3d9fd
SHA512 7a3e0b2d9ea4aedc3f8f0dd50860dd7370231ec63e4de34633495f123e34577d40c357de60ab222eafecb66234b8994cc73b371b959caf87400b15452f72dd50

\Users\Admin\AppData\Local\Temp\7zSC850D246\ff5062b298561564.exe

MD5 284acfc13713bd7f9502498182ec05a6
SHA1 cfda09dd36e0a3246bb74b0a54ce0a847bc4f633
SHA256 0607ee5ed06bc44842f606cd5975d8b8d777c5ac9d5beb685dd9b8e8757f0b45
SHA512 8a092bee685d71663339fbe12ad2cb058c94dda6da35fa4d0dfd6b27c3c9607abd71eef25d108dae6c2af3b2f50770030bac10a5f6e7937a8df4d73dfed94dab

\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

MD5 6761e377407140dcb0b184dda25b611c
SHA1 f7326b8f2f7c199dbf07cebfc655dcca3ec0f86c
SHA256 43e7accd9301d068f89d76e37e1143619c37b0a436b7cd667ad5805ef69aaeaa
SHA512 c3f8bf079ac7bc753185036f72413d67526f1edbb3f1f625c67a0f20e21ade08c13a11cdb7886a0c11103f1f840cbe0b5fdc7b8d31d1fe05f866828759019564

\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

MD5 579ddb6a25bdc064d67f38eb94315ee9
SHA1 05637308863322f08420653b8c2f910a516f55e1
SHA256 a54869db39cd2206ab3892ec05b1ef6c0212462f7e14544b3ccf7367c6875a31
SHA512 67c673ec63c33fa7dde8fbd9fec0163a4898e8de7e520843b0ba482565e58a2fe34b38fed3ba46661cdb322a122f35b1e0591ea41880dcdcd18822f6b73932fe

\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe

MD5 8ff5b01d65485af4189fca581cbff088
SHA1 a9388c053b8e152b71041525b03d4ec92e679ff8
SHA256 6e882935e28a491e5f4cad43b75758c47b41df9f1af40cedc74ecab3c14a90c8
SHA512 9d8afb87db76a861acd8ad50b0c4a352f1aa20d7b9fdd0b40df55f5c46ee497786f52b7ceeb28bf180bdebd19542c249fde52727b4e791ff0e11bd18f0c04cf4

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\60915a1172471a6.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

MD5 87184d8400746b3ff947aa4b9f3d24fc
SHA1 8a4a72e7a0d0ac7702d2a2e474eb2cfb30e3435e
SHA256 d1ac53c0f441742c0f8b281dd4164c350a9f7dd6199593205dffc01bad7028fa
SHA512 41aff30a7aa5789e38e06808de36c23af066495d6e38469b52852bb9261b2db99ea238343f8333fc570137401ccb4f32e6b0fea6e8360d80ca38a503e41e5082

\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

MD5 63a93b63e3e4db7096edbd089083d6ca
SHA1 9ff3c7f9ce36b2e7cf76a6dd88ff7fef158c7447
SHA256 c84a9dd374f286cd8b2fce552bfa88df624ab8c98ab888bf9bc4348772434f17
SHA512 c89e0f8c4129698a2b58170057a92b90c8db095131369f0288fecfcef3d839ee1cdf333e8873a74364542dfed6dc6e29a0119bc1a2df56c9b7089b0b7d3b813b

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\aeede9411b71dc1.exe

MD5 c60621f9a8dcfe4b914b815a6e057eac
SHA1 b5a078cafe819915e157a0f49130fe0d2f3f5d32
SHA256 dea86d651d1095729768b2af56284dcc0c6a06a93ddb0d0e3c86c2687a7f8e66
SHA512 a1beb07817c64af6acbb591f3442ae1c31d0ca0ccaa991bdc0c38e566134326ad1630fba63667870ed44fc41115ffc4114085f1b3549914c6c6a3e6d6ce1a3b7

\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe

MD5 478e294f3d849c04478e9a4193424164
SHA1 1c4b13ab6d0a8a00313588031038779f8724504f
SHA256 9e36edf54a7010a222526d19b68c70e318d2c4b23a0bcb2789882d285e16c116
SHA512 43d4bcad96e09d40dfd7208d852fc1b13348d47ce6272303511bdbacc382702a7b436ad8883dd2f1b0ed5e6a2adbf6e6d4cd59d81218d0dfd6b2e60df75f501d

\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

MD5 e06047ac7e01fcf1d2f7aab53aa9863f
SHA1 19f0bf0cb2d72787cc3a9f140a00f9becc58b3be
SHA256 8c4efacd397ea797a15967a57e94da8d58def15525776ad69f6c7bfe6bbd878b
SHA512 0c07d963fe93b945ab5b11bb8dd2104e01bcee96e70a049d41072d08861ad3bbf6ec567a7f39b58a5f1fcfcf00d1b02eb7fb30b6109f45737becdb1632af1580

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\36513cfafe7.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe

MD5 297060cc684218dc37b8981cf6b960e6
SHA1 c00b1b4d715994f6e98a2b5d3dd1e33acf6c19a7
SHA256 30fb7f515bf101e25cacc819f79ef57d131cdfeb48a4ebd23584c6097f2c3097
SHA512 13c413ceb4c9b0224bb7bd3fef78be4465923f81043d52573dd5c92c508c9e43a23b88675ce1755e07b32fd5560860dd91b27b046756fa1d8b40654e85e2e9fa

C:\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

MD5 b1388c9223c895072c6f2b0bfd8cd8b5
SHA1 55b7f2039ff4d29c35691956f5fe5b6c122edd75
SHA256 55924892a75cc2f72694729be8e289b3d5512dacc1e884ba0e1cad4f5725c89d
SHA512 7af3a46008a4dd21a6651994177a39cc306dbd2688d6d3b68bb7fac349b289f675eb9c6db49e85f3486a66f6117df78ec9a5244b4f70ece6c1dc07683be4a088

\Users\Admin\AppData\Local\Temp\7zSC850D246\d51ca42487e4978.exe

MD5 0b0c1181c3a355d84483e9b8f686c177
SHA1 bcb0e9147578d4c3df5381fa7224545aaee46807
SHA256 b767302fa6b8f1794f7b6942bf2df7439fa355f0c8003cf0bcfc18118e474f81
SHA512 02f1fa98c12d0aec686c0ddc6795aa7e3ca9c0c5295aba5c85eadcc5c09a8768d98b61ea62197b89a7237263f660dc1ed03203679159332dc732da178b1009f4

\Users\Admin\AppData\Local\Temp\7zSC850D246\643ed1025.exe

MD5 87a7bc8ef0a2ab8a56c5805f84586d4e
SHA1 2562ff82ece8e11de4cf27b1e4cde633670ce41a
SHA256 7e29244f1541e332e0a37c6ae3cd9d5be12837d71a995ac951bc56f8eeeb8799
SHA512 e4ae857e79b29a8c81e5019f3597c2c115e52a5669bef75fbcfc7d0c183885e9d2106b7ba67fd3fe19d211dc09c7423f9995c7aeb106992f64e2fe41aea86560

memory/820-132-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/1232-133-0x0000000001210000-0x0000000001A36000-memory.dmp

memory/820-134-0x00000000001D0000-0x00000000001F2000-memory.dmp

memory/820-135-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/2900-137-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/1780-138-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/1232-139-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/1232-140-0x0000000001210000-0x0000000001A36000-memory.dmp

memory/2900-143-0x000000001B0D0000-0x000000001B150000-memory.dmp

memory/1780-142-0x0000000000400000-0x0000000000902000-memory.dmp

memory/1780-141-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/820-136-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/820-144-0x000000001B060000-0x000000001B0E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar81A3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab8181.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1260-179-0x0000000002620000-0x0000000002636000-memory.dmp

memory/1780-180-0x0000000000400000-0x0000000000902000-memory.dmp

memory/2868-184-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2868-185-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2868-186-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2868-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2868-187-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2868-183-0x0000000000400000-0x0000000000C71000-memory.dmp

memory/2812-197-0x0000000002210000-0x0000000002A36000-memory.dmp

memory/1232-199-0x0000000001A40000-0x0000000002266000-memory.dmp

C:\Users\Admin\AppData\Roaming\ciddbca

MD5 b31126877d4edd20f20fc9f04961206f
SHA1 fb2e12a524bbea6f3522c3d89b41d8ca2bf9e6b5
SHA256 f00a416927322073fb71e06167dcb4443234a2e81fc9903fdb55782324be94ab
SHA512 9aefd58fe4441edada06f08f4b0e18b67f258cb2b083f994c967da83665c12a501b5a786fa91bc3e883c74bb353fc90dd32d43a6378576e8c30f588b633f2f55

memory/1232-198-0x0000000001A40000-0x0000000002266000-memory.dmp

memory/820-203-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/2900-204-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

memory/1232-286-0x0000000001210000-0x0000000001A36000-memory.dmp

memory/2900-302-0x000000001B0D0000-0x000000001B150000-memory.dmp

memory/820-304-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/820-323-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 02:01

Reported

2024-01-01 21:21

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe

"C:\Users\Admin\AppData\Local\Temp\23b9f735f8bb2607ae05fec9b71dee60.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS024DB887\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c aeede9411b71dc1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d51ca42487e4978.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\643ed1025.exe

643ed1025.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\60915a1172471a6.exe

60915a1172471a6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d5ed2ea795609.exe

d5ed2ea795609.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\ff5062b298561564.exe

"C:\Users\Admin\AppData\Local\Temp\7zS024DB887\ff5062b298561564.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d51ca42487e4978.exe

d51ca42487e4978.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\36513cfafe7.exe

36513cfafe7.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\6e6c48dd68bf93.exe

6e6c48dd68bf93.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\aeede9411b71dc1.exe

aeede9411b71dc1.exe

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\ff5062b298561564.exe

ff5062b298561564.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5ed2ea795609.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 60915a1172471a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 36513cfafe7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 643ed1025.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6e6c48dd68bf93.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ff5062b298561564.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME22.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 live.goatgame.live udp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 925e1b3ba62cb3fb628254f90e631faf
SHA1 9e8181054a0610b4e66025ca3e6d0e544f3178af
SHA256 93843626241a6ffbddfe9d55f3349b5d016be2dd7f5571f338fd29931a884dd6
SHA512 53da813050f63a4d2a0202cfda7009c8790e6fb5e4c674ccb481a9038842940080674cf3f95e532b231662c8b15185a38360fe1978987c40102ad66dd21581c5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 1e1e980855ac15a59fcc4926e57db726
SHA1 109af7b867f5fc41fa51121b202af52f45ce8568
SHA256 df321fee1c4ec61aaa221795b23b73b75236d499787d162988b537e41769b55a
SHA512 0f75e8b7ed3160a84baa894c23a7285d5e4694260f42b4ee917574ef104a60f17f5f2f87522c751e46a1485bdc63f5d823d3f2bced853330e18d015c776c272b

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 b6707aab977a60d63030ab3ceaf9ffb2
SHA1 2de7b35008e306b7696c14ab98b23bd6e89c0ae4
SHA256 b5af9af82da20d9c0a49f8e4136b6153b42e04e2b691bebd62e2f4a249daa403
SHA512 1453bdb7052e333b5ce78ff11c99860e115b101a477ef0d6894f7f7b302a8483f50e13a66e80c1c88fed018f63ac03b64231a075096477965aa052f367a83bd6

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\setup_install.exe

MD5 2bb8fb63419b86cb416a18523cdcdc2f
SHA1 fe2beb723566f310d68c9cd23559bca682501a8f
SHA256 7644301565f953920526545a23f345f2fd0a2438497708d8ee2cdedcd28b7a4a
SHA512 d45ce8e607e8f69f5ec7491707a82c0593145f9163f593f349ec4a58bf397ad5c840d11ef7253e7b655b6644295750d034e5f070a16fd7af28e0da7a3bc62dd3

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\setup_install.exe

MD5 9777b55bc0de305de6bb1ff1a9ed74bd
SHA1 07f3dee8cb4b1d97fc8006d81f6e2d3a8113b53d
SHA256 3ca176e4ee9c26b28d1296a7ae27e039e7d723e2fa80f38f5465e70168459d7b
SHA512 1e44ac3f4ca15095e88a53690f71e0e78aa4facf6fadc51e4c24a73a7e233c4bb1b85a074ade9f37dc425ca28393f319a8e60eaa1e20232ef37a0fe6eae1f0ca

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\setup_install.exe

MD5 6a6fe3026d2f3ac36441d6260926f539
SHA1 0b729e9c9ba6c2ba05335c91163e51634df7d9bd
SHA256 7532bc02401c380564f0f641e61790fe76b607c0d4c525d32964c080a89be73a
SHA512 a8ea39b45bfa0dd0570d5daec138b8e0728b50c5286636d6c8ce3826fe137d873e637b19c453a28f2347d48e8eeca5bd3f59680597ef09e54478b596baf8e178

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libcurl.dll

MD5 91732c8c8fe07c886215bdccbb4795bf
SHA1 016ded9b06e7c79891144c21e1677494039eaea0
SHA256 2c287c9eeb284dc349feb83791f804c08834375832577a47c52a4b1b16ea0085
SHA512 13a3e65a0224ba8d79eebb544e4cfa8d757c16434f83bae0a65e5aaf0ef2e56391894401f273bc422483c981f7d6bca5efe881da02edcfeccf4b49077944e3fd

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1620-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libstdc++-6.dll

MD5 80fa1f62ccf5e25bbe0c9031d8625b85
SHA1 9f89d8f860d3e0a37c1cfb824810d84190b43253
SHA256 dedb5b008200dcac19eae2150d43eff94db0dfdf72a00cb3e035cb36badb977c
SHA512 2e8c5a31df802661f75418e765010d543daad2ae1196930356d6e6d7001c357df1bc594601cb1bb068ddbdecf335b5ac9078a80800795d358c6a1295f75ca90f

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libstdc++-6.dll

MD5 060b1cfa7ad7ffcccea08b1b0d89b43f
SHA1 8f3504798a75c2b739236abb70b9a9ad89585da2
SHA256 75e4fda640c145244eb9e8e239f3ab34e8ff16e64ecd43fd26275d46998f932e
SHA512 0a6cf1e63472b72b48902910aa20ee020694ec9baa1b95e6cef427a2dee5682aebae49665f78429b726e3c3769501b947c3617d4097c424ffa3b52ad594877a1

memory/1620-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1620-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1620-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1620-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\aeede9411b71dc1.exe

MD5 1a88593a84e008eacba2aba74a05bbec
SHA1 cdd6765853de2abd4ca0e1b77db3fa65fc36b2e1
SHA256 050272f4856099df62b6c147a2ac1adc40c98b981eb5c918b49d3e1fbac80953
SHA512 ab56a2c4d9fc9bcd9a1c8ae46b010d547d446a71ec7fc333e810854be1a9cf95068a12e4725efd8b2e62e5a93bb79f212a019cf9c2db4a0981fea74409a25e8c

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\643ed1025.exe

MD5 0d33c99b232963cc9f935803b9c9eff3
SHA1 6e31a3efcae60960ee1b5d2cda15fa355a3a214c
SHA256 04273137fad08a65877861389069e8559ef5a7e7f65210c972fb9b5229375736
SHA512 849926f4bf3a2d91c77ed839b3f11925cb16b18175870d00b1c38901d9663d76e3e039683f4028b74547ec1c8a8a5ac9415a42f646a85d20e2fea5864bf90cef

memory/1224-89-0x00000000001B0000-0x00000000009D6000-memory.dmp

memory/4564-90-0x0000000000F60000-0x0000000000F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d51ca42487e4978.exe

MD5 76510641be08cc322316f68fd187dca5
SHA1 52b378450f635e080904fe56edcb576fad817cb4
SHA256 ca70ae29350b64975eeeb7605252892d80193110de9579bcae87786e212261a5
SHA512 d77cb76dd245d654152192341a63497907fef55cb9631c85de1a43984f2a840668d50ba24c156efe4ed3e82ae1e4b5547662521ec7a8be82fd25501c558a9d44

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d5ed2ea795609.exe

MD5 baad289c3d101ad16153f45e9b52f013
SHA1 d7d1e892de312bbafda6d167aa881bbbbaab17e1
SHA256 ccf4cc80ebe1842f630354657028b7a4ae700bed5c06c341c541b965945c283c
SHA512 e38ce4e7fe208ac2715bdf326e8dcd8ebbbd814a854b0a870b9123f770b18121607b335896644223d260ca182c743195a2eb8be6e3967efecab56665d8c02f4e

memory/4564-98-0x0000000001730000-0x0000000001736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d5ed2ea795609.exe

MD5 d1b373fb40f6d70ed711d587f60f135b
SHA1 0083f5196813bbd8f9850e6b70b612ef1732a0a2
SHA256 f24744ddf53d28e6946262d2dd6c97a553eb8b5e125604ebf9641e44bfd98df8
SHA512 68186569deca4c6545c9d80facf97f243f7992c8ad71ec65c51fb37a3fa4b1a913975a81416dbc68cb37f8939b41aff0cb62891f654153801a9ee3c3cb98d1f4

memory/1224-104-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-103-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/3112-102-0x00000000009A0000-0x00000000009B0000-memory.dmp

memory/4564-107-0x0000000001760000-0x0000000001766000-memory.dmp

memory/1224-111-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-110-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-113-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-114-0x0000000077844000-0x0000000077846000-memory.dmp

memory/1224-115-0x00000000001B0000-0x00000000009D6000-memory.dmp

memory/3112-116-0x00007FFC80700000-0x00007FFC811C1000-memory.dmp

memory/1224-117-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/4564-118-0x000000001BE40000-0x000000001BE50000-memory.dmp

memory/1224-119-0x0000000005EE0000-0x00000000064F8000-memory.dmp

memory/1224-120-0x00000000057F0000-0x0000000005802000-memory.dmp

memory/1224-121-0x0000000005850000-0x000000000588C000-memory.dmp

memory/232-122-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

memory/232-124-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/4976-123-0x00000000034D0000-0x000000000356D000-memory.dmp

memory/232-125-0x0000000000400000-0x0000000000902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\ff5062b298561564.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

memory/1224-126-0x00000000058C0000-0x000000000590C000-memory.dmp

memory/1224-109-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-106-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/4564-101-0x0000000001740000-0x0000000001762000-memory.dmp

memory/1620-128-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-130-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1620-131-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4976-133-0x0000000000400000-0x000000000334B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\36513cfafe7.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

memory/1224-135-0x0000000005A50000-0x0000000005B5A000-memory.dmp

memory/1620-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-129-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4976-136-0x0000000003570000-0x0000000003670000-memory.dmp

memory/1620-127-0x0000000000400000-0x0000000000C71000-memory.dmp

memory/4564-100-0x00007FFC80700000-0x00007FFC811C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\d51ca42487e4978.exe

MD5 0b0c1181c3a355d84483e9b8f686c177
SHA1 bcb0e9147578d4c3df5381fa7224545aaee46807
SHA256 b767302fa6b8f1794f7b6942bf2df7439fa355f0c8003cf0bcfc18118e474f81
SHA512 02f1fa98c12d0aec686c0ddc6795aa7e3ca9c0c5295aba5c85eadcc5c09a8768d98b61ea62197b89a7237263f660dc1ed03203679159332dc732da178b1009f4

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\60915a1172471a6.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

memory/3112-85-0x0000000000110000-0x0000000000118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\6e6c48dd68bf93.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\643ed1025.exe

MD5 47aa23d14d47ae5dd44249d748c6efca
SHA1 b4a6fe3a39c29a3a1e29a746632063a55758d666
SHA256 40a63375c298e62eaac01a3987605fbe0fb088eccaa1352f22ac5f89ad81afa6
SHA512 39763203cb4b9d8ecf1fefc6077ef6d6b02b2bedd2e8dadc4857091a0d107948efb9388bd15500e0ba83b89fd1f35618ff73e4aa513bfdd86a3a420791487f68

C:\Users\Admin\AppData\Local\Temp\7zS024DB887\aeede9411b71dc1.exe

MD5 4e688ae5f7d1c9d2916d179850064249
SHA1 7568877cc7680a4778ed0097c2c6ed913d6257b5
SHA256 30cbbb0dece59f0a22a86b83f062285eb9771debba58c8480458892a7dcb25cc
SHA512 959c122649baf8268dcb22c62c396de75c803611d8bbcc7561771ff83c1b373c17a42a8e5c8f6028895028fc9ad024ceb6826caa5d399e62d9b841d9c3317bf3

memory/1620-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4564-138-0x000000001BE50000-0x000000001BF52000-memory.dmp

memory/4564-139-0x00007FFC80700000-0x00007FFC811C1000-memory.dmp

memory/232-142-0x0000000000400000-0x0000000000902000-memory.dmp

memory/3400-140-0x0000000002480000-0x0000000002496000-memory.dmp

memory/1224-147-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-151-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-154-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-153-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-152-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/1224-150-0x00000000776D0000-0x00000000777C0000-memory.dmp

memory/3112-149-0x00000000009A0000-0x00000000009B0000-memory.dmp

memory/3112-148-0x000000001AC60000-0x000000001AD62000-memory.dmp

memory/1224-155-0x00000000776D0000-0x00000000777C0000-memory.dmp