Analysis Overview
SHA256
356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d
Threat Level: Known bad
The file 2a7a53a25f11a4e0b70f19e1a49d5229 was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
NullMixer
SmokeLoader
Vidar
Vidar Stealer
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 05:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 05:43
Reported
2024-01-05 17:09
Platform
win7-20231215-en
Max time kernel
0s
Max time network
149s
Command Line
Signatures
NullMixer
PrivateLoader
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b64a222d62322.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
| PID 2444 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe
"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49b64a222d62322.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe
"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\d128da868eace63.exe
d128da868eace63.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b64a222d62322.exe
49b64a222d62322.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\671e9c9b76adcf6.exe
671e9c9b76adcf6.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe
e2651aae101285.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b456537.exe
49b456537.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49f7436351.exe
49f7436351.exe
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\c3fd6c993b4.exe
c3fd6c993b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49b456537.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e2651aae101285.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d128da868eace63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c3fd6c993b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49f7436351.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 408
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 952
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| NL | 37.0.8.235:80 | tcp | |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | aucmoney.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | thegymmum.com | udp |
| US | 8.8.8.8:53 | atvcampingtrips.com | udp |
| US | 8.8.8.8:53 | kuapakualaman.com | udp |
| US | 8.8.8.8:53 | renatazarazua.com | udp |
| US | 8.8.8.8:53 | nasufmutlu.com | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d772d6902200f5d4599a9b27d0d8f9e6 |
| SHA1 | 564eefb3fabe655b2fb51f492959b158cb20e12d |
| SHA256 | 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17 |
| SHA512 | 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36 |
memory/2696-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2696-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2896-108-0x00000000030D0000-0x00000000031D0000-memory.dmp
memory/848-122-0x00000000003C0000-0x00000000003C6000-memory.dmp
memory/2996-123-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/848-124-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1560-127-0x0000000004A50000-0x0000000004AED000-memory.dmp
memory/848-128-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1560-126-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/1560-129-0x0000000000400000-0x0000000002CBE000-memory.dmp
memory/2996-130-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/848-125-0x00000000003E0000-0x0000000000402000-memory.dmp
memory/848-118-0x0000000000F40000-0x0000000000F70000-memory.dmp
memory/848-132-0x000000001AB40000-0x000000001ABC0000-memory.dmp
memory/2896-131-0x0000000000400000-0x0000000002C62000-memory.dmp
memory/2996-117-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/2896-111-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2696-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2696-62-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2696-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2696-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-53-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2696-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2696-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2696-41-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
| MD5 | ce3f2b4ed7f6aba3906306552cfc1545 |
| SHA1 | c7d742c63f5cd95955b259e6ebdc1bcc44365850 |
| SHA256 | 79e7d8f2016bfacef67f0f83a5ff9cb52c7bc23113e5c313c2e797da85da85d7 |
| SHA512 | 3503f55cdc79401fd76de0c48eadbe8cc764ddb16b2ed63a3506e1ff8d9045c88670fb24a3340a122977c869a415f85c16d090c8ffaa6f9ee4ecba7a5f5b935b |
\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
| MD5 | 4f92cdcf9b3545d427cc9d75d5bb62e3 |
| SHA1 | 78dcfe14d712a2212aeb2f31720947bd414a50e8 |
| SHA256 | 13e028df787dc990d8b3eb48c678d09ad5de777e3752ef0032a6c31b9a7be752 |
| SHA512 | 053739750c94b3bfa6c30a8fee2fa648ec80dd311ff58bc56255101afce557c06ae0a152710127b2cb4913749f881fec80645fd5fedc2c130c7fc1d512fb14cd |
\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
| MD5 | 10d261cf02d9341bbd89952785830a3f |
| SHA1 | e9d3001c3805f2a6ef214ae24faf251866644e34 |
| SHA256 | 12006c24e9e356216842871acf8bd9f373ee024de50c2fc5150dab3a19fe86d1 |
| SHA512 | 1651da4af9053dada9b09c6bc3e8245614656d86a33312d2d09571f1cd3b783b2f00b71e5ca63ac43a145103c199776b848d1877038c995c25ff24d87e6966a4 |
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
| MD5 | 302fc869c0280dcc7c2d5f9037f145b5 |
| SHA1 | d5312f84f06eb9743eea9cc2a70d5a1b4cae978e |
| SHA256 | 96486cd072c49dadd037b5759623d5ff9afcc29ab9ed621f304e506189b86133 |
| SHA512 | 57ac48a4e1a0d79d1e75b63f15a7f8d76bc6294abe9c1e21832738a915eb64b42237fcc4014753e652d8eacb223cc83aac2a22fe951d0fb45aa4a9a21bda6278 |
\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe
| MD5 | 54505a3a0ba8f4379f1dabead3711a26 |
| SHA1 | c516fcbb3eebb05d2e818de0696ac65f50baaa6b |
| SHA256 | 9e67a053b6761e2418586bc0d6dccb1f1d86baa05e46b37fc2735c57ce3f6e7d |
| SHA512 | 2f184269bf358459de906f54c33280def6fbc54fd92b0cf5def05f85355631e03cbab62a0513232f56eeee39993b3e5c5a85c41d4be93cb8d62ac55e30602d66 |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 514f856967233888b92235662dee2d4a |
| SHA1 | 73d4ff7cbd1fe1f87f4ac3dfb58c247ed197d527 |
| SHA256 | 98c879d5cffd45d3ebefbece199ef1e9f885ce1cffc5799459b4f8156d9b45ca |
| SHA512 | dd4d2ee9068a97b3f8eeaefdd37b2557afb416e5553018e87617d889ca8f84d9bbd3ee3d599cc73121218370a22c6eeedbfd27d1fdd85b10c1798b7bf5471abe |
memory/1068-223-0x0000000003CC0000-0x0000000003CD6000-memory.dmp
memory/2896-224-0x0000000000400000-0x0000000002C62000-memory.dmp
memory/2896-227-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2696-231-0x0000000000400000-0x00000000006E2000-memory.dmp
memory/2696-236-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2696-235-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2696-234-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1560-237-0x0000000000400000-0x0000000002CBE000-memory.dmp
memory/2696-233-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2696-232-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2996-272-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2996-278-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/1560-277-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/848-276-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/848-279-0x000000001AB40000-0x000000001ABC0000-memory.dmp
memory/848-341-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 05:43
Reported
2024-01-05 17:08
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
148s
Command Line
Signatures
NullMixer
PrivateLoader
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe
"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"
C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b456537.exe
49b456537.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 544
C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe
"C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 884
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49f7436351.exe
49f7436351.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 992
C:\Users\Admin\AppData\Local\Temp\7zS89051867\d128da868eace63.exe
d128da868eace63.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2424 -ip 2424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1084
C:\Users\Admin\AppData\Local\Temp\7zS89051867\c3fd6c993b4.exe
c3fd6c993b4.exe
C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe
e2651aae101285.exe
C:\Users\Admin\AppData\Local\Temp\7zS89051867\671e9c9b76adcf6.exe
671e9c9b76adcf6.exe
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b64a222d62322.exe
49b64a222d62322.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49b456537.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e2651aae101285.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d128da868eace63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c3fd6c993b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49b64a222d62322.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49f7436351.exe
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.96.141.3.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| NL | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | aucmoney.com | udp |
| US | 8.8.8.8:53 | thegymmum.com | udp |
| US | 8.8.8.8:53 | atvcampingtrips.com | udp |
| US | 8.8.8.8:53 | kuapakualaman.com | udp |
| US | 8.8.8.8:53 | renatazarazua.com | udp |
| US | 8.8.8.8:53 | nasufmutlu.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 9b44481728f8fd6894874cf9171e81f1 |
| SHA1 | e36f10ea66dbf472629b73ed98595a850c9045a8 |
| SHA256 | d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada |
| SHA512 | cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5 |
C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe
| MD5 | 8cd41712b4ee8858a7c605b9c9221084 |
| SHA1 | a167b6b16c1b5a41d6b42d0e0def89e64cd380d9 |
| SHA256 | 908f4c202959096b5ac4c598751281d56f89e53611154b53623fa3e4528bf1a1 |
| SHA512 | 36a50ba4c5aba491c9f47ed4d4d76d74eabfe24b2bb7c74857aaa3c5b0ec837f3fdc0a27182625c59e86f41a96cc2004d636afa3935b930b7e4b450ec215e475 |
C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe
| MD5 | eb35d08c7ded3e85418436417d804d4e |
| SHA1 | 0c9ecc27f7be84757583a7b70555f79dd6bccb56 |
| SHA256 | 0efd18a06e63eab10353809ade6812012fe1171cf8aae81be8b2c67af3827b23 |
| SHA512 | 97e14c3d7221432ff2a5633f30f73b50ec3c205ad0a58df28b5c53155c13f0bd42f3c3f47883c4cf9315069b5f0fb7ee107880bf18dafb1f6d883f8790752634 |
memory/2416-43-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-47-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2416-53-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4600-85-0x0000000000920000-0x0000000000950000-memory.dmp
memory/4600-88-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp
memory/4600-92-0x00000000011F0000-0x00000000011F6000-memory.dmp
memory/5048-95-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/3152-97-0x0000000002DC0000-0x0000000002DC9000-memory.dmp
memory/4600-98-0x0000000001210000-0x0000000001216000-memory.dmp
memory/4600-96-0x0000000002AE0000-0x0000000002B02000-memory.dmp
memory/3152-100-0x0000000000400000-0x0000000002C62000-memory.dmp
memory/5048-93-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp
memory/2416-101-0x0000000000400000-0x00000000006E2000-memory.dmp
memory/2416-102-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2416-103-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2424-106-0x0000000000400000-0x0000000002CBE000-memory.dmp
memory/3152-109-0x0000000002F10000-0x0000000003010000-memory.dmp
memory/2424-111-0x0000000004950000-0x00000000049ED000-memory.dmp
memory/2424-110-0x0000000002EA0000-0x0000000002FA0000-memory.dmp
memory/4600-108-0x000000001B6D0000-0x000000001B6E0000-memory.dmp
memory/2416-107-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-105-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2416-104-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5048-91-0x00000000007B0000-0x00000000007B8000-memory.dmp
memory/4600-113-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp
memory/2416-52-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2416-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-46-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2416-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2416-41-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurl.dll
| MD5 | 0151c5c4a0ebf14b04ddf243564436d6 |
| SHA1 | 5bcaf3f5bbcf6229483686d585b1106071b60c4d |
| SHA256 | 84fd229f8269a62e61267c8f71d91e25b9ff4f82dfdbb56083c050e2b223e0ab |
| SHA512 | 520080e496be6bb744c41e7549b6f250797742245d5bc2097a471be66962ed7ce468c8e076042375a6f443b392a85f19a0e5392638bc14bd08bd405744560d04 |
C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS89051867\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe
| MD5 | c5abe3656921fd39c96095b1466665ba |
| SHA1 | 9cd53bc80295469264a67f0ddce28a2995b8c9e0 |
| SHA256 | 9bb4b973e6397b54ba211c5bcb24dc1bdf093d0ce3d87fb69e43393ea85ee6de |
| SHA512 | 6080524ad8c7851fa397ca56287035b1f57ef4685b100c94404dbe2b9492c780911813f0eccfca3f71b90f7e7b5b9b87587fb07da3a3b9cefc90936692d45315 |
memory/3408-114-0x00000000012B0000-0x00000000012C6000-memory.dmp
memory/5048-115-0x00000000027A0000-0x00000000027B0000-memory.dmp