Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-gezjasadd5
Target 2a7a53a25f11a4e0b70f19e1a49d5229
SHA256 356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d
Tags
nullmixer privateloader smokeloader vidar 706 pub5 backdoor dropper loader stealer trojan aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d

Threat Level: Known bad

The file 2a7a53a25f11a4e0b70f19e1a49d5229 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader smokeloader vidar 706 pub5 backdoor dropper loader stealer trojan aspackv2

PrivateLoader

NullMixer

SmokeLoader

Vidar

Vidar Stealer

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:43

Reported

2024-01-05 17:09

Platform

win7-20231215-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2444 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe

"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49b64a222d62322.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe

"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\d128da868eace63.exe

d128da868eace63.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b64a222d62322.exe

49b64a222d62322.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\671e9c9b76adcf6.exe

671e9c9b76adcf6.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe

e2651aae101285.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b456537.exe

49b456537.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49f7436351.exe

49f7436351.exe

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\c3fd6c993b4.exe

c3fd6c993b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49b456537.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e2651aae101285.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d128da868eace63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c3fd6c993b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49f7436351.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 408

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 952

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
NL 37.0.8.235:80 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 aucmoney.com udp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 104.21.4.208:443 iplogger.org tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d772d6902200f5d4599a9b27d0d8f9e6
SHA1 564eefb3fabe655b2fb51f492959b158cb20e12d
SHA256 7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA512 6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

memory/2696-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2896-108-0x00000000030D0000-0x00000000031D0000-memory.dmp

memory/848-122-0x00000000003C0000-0x00000000003C6000-memory.dmp

memory/2996-123-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/848-124-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1560-127-0x0000000004A50000-0x0000000004AED000-memory.dmp

memory/848-128-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1560-126-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/1560-129-0x0000000000400000-0x0000000002CBE000-memory.dmp

memory/2996-130-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/848-125-0x00000000003E0000-0x0000000000402000-memory.dmp

memory/848-118-0x0000000000F40000-0x0000000000F70000-memory.dmp

memory/848-132-0x000000001AB40000-0x000000001ABC0000-memory.dmp

memory/2896-131-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/2996-117-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/2896-111-0x0000000000250000-0x0000000000259000-memory.dmp

memory/2696-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-53-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2696-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2696-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

MD5 ce3f2b4ed7f6aba3906306552cfc1545
SHA1 c7d742c63f5cd95955b259e6ebdc1bcc44365850
SHA256 79e7d8f2016bfacef67f0f83a5ff9cb52c7bc23113e5c313c2e797da85da85d7
SHA512 3503f55cdc79401fd76de0c48eadbe8cc764ddb16b2ed63a3506e1ff8d9045c88670fb24a3340a122977c869a415f85c16d090c8ffaa6f9ee4ecba7a5f5b935b

\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

MD5 4f92cdcf9b3545d427cc9d75d5bb62e3
SHA1 78dcfe14d712a2212aeb2f31720947bd414a50e8
SHA256 13e028df787dc990d8b3eb48c678d09ad5de777e3752ef0032a6c31b9a7be752
SHA512 053739750c94b3bfa6c30a8fee2fa648ec80dd311ff58bc56255101afce557c06ae0a152710127b2cb4913749f881fec80645fd5fedc2c130c7fc1d512fb14cd

\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

MD5 10d261cf02d9341bbd89952785830a3f
SHA1 e9d3001c3805f2a6ef214ae24faf251866644e34
SHA256 12006c24e9e356216842871acf8bd9f373ee024de50c2fc5150dab3a19fe86d1
SHA512 1651da4af9053dada9b09c6bc3e8245614656d86a33312d2d09571f1cd3b783b2f00b71e5ca63ac43a145103c199776b848d1877038c995c25ff24d87e6966a4

C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

MD5 302fc869c0280dcc7c2d5f9037f145b5
SHA1 d5312f84f06eb9743eea9cc2a70d5a1b4cae978e
SHA256 96486cd072c49dadd037b5759623d5ff9afcc29ab9ed621f304e506189b86133
SHA512 57ac48a4e1a0d79d1e75b63f15a7f8d76bc6294abe9c1e21832738a915eb64b42237fcc4014753e652d8eacb223cc83aac2a22fe951d0fb45aa4a9a21bda6278

\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe

MD5 54505a3a0ba8f4379f1dabead3711a26
SHA1 c516fcbb3eebb05d2e818de0696ac65f50baaa6b
SHA256 9e67a053b6761e2418586bc0d6dccb1f1d86baa05e46b37fc2735c57ce3f6e7d
SHA512 2f184269bf358459de906f54c33280def6fbc54fd92b0cf5def05f85355631e03cbab62a0513232f56eeee39993b3e5c5a85c41d4be93cb8d62ac55e30602d66

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 514f856967233888b92235662dee2d4a
SHA1 73d4ff7cbd1fe1f87f4ac3dfb58c247ed197d527
SHA256 98c879d5cffd45d3ebefbece199ef1e9f885ce1cffc5799459b4f8156d9b45ca
SHA512 dd4d2ee9068a97b3f8eeaefdd37b2557afb416e5553018e87617d889ca8f84d9bbd3ee3d599cc73121218370a22c6eeedbfd27d1fdd85b10c1798b7bf5471abe

memory/1068-223-0x0000000003CC0000-0x0000000003CD6000-memory.dmp

memory/2896-224-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/2896-227-0x0000000000250000-0x0000000000259000-memory.dmp

memory/2696-231-0x0000000000400000-0x00000000006E2000-memory.dmp

memory/2696-236-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2696-235-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2696-234-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1560-237-0x0000000000400000-0x0000000002CBE000-memory.dmp

memory/2696-233-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2696-232-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2996-272-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2996-278-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/1560-277-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/848-276-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/848-279-0x000000001AB40000-0x000000001ABC0000-memory.dmp

memory/848-341-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:43

Reported

2024-01-05 17:08

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe

"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"

C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b456537.exe

49b456537.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 544

C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 884

C:\Users\Admin\AppData\Local\Temp\7zS89051867\49f7436351.exe

49f7436351.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 992

C:\Users\Admin\AppData\Local\Temp\7zS89051867\d128da868eace63.exe

d128da868eace63.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1084

C:\Users\Admin\AppData\Local\Temp\7zS89051867\c3fd6c993b4.exe

c3fd6c993b4.exe

C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe

e2651aae101285.exe

C:\Users\Admin\AppData\Local\Temp\7zS89051867\671e9c9b76adcf6.exe

671e9c9b76adcf6.exe

C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b64a222d62322.exe

49b64a222d62322.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49b456537.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e2651aae101285.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d128da868eace63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c3fd6c993b4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49b64a222d62322.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 49f7436351.exe

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 9b44481728f8fd6894874cf9171e81f1
SHA1 e36f10ea66dbf472629b73ed98595a850c9045a8
SHA256 d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada
SHA512 cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5

C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

MD5 8cd41712b4ee8858a7c605b9c9221084
SHA1 a167b6b16c1b5a41d6b42d0e0def89e64cd380d9
SHA256 908f4c202959096b5ac4c598751281d56f89e53611154b53623fa3e4528bf1a1
SHA512 36a50ba4c5aba491c9f47ed4d4d76d74eabfe24b2bb7c74857aaa3c5b0ec837f3fdc0a27182625c59e86f41a96cc2004d636afa3935b930b7e4b450ec215e475

C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

MD5 eb35d08c7ded3e85418436417d804d4e
SHA1 0c9ecc27f7be84757583a7b70555f79dd6bccb56
SHA256 0efd18a06e63eab10353809ade6812012fe1171cf8aae81be8b2c67af3827b23
SHA512 97e14c3d7221432ff2a5633f30f73b50ec3c205ad0a58df28b5c53155c13f0bd42f3c3f47883c4cf9315069b5f0fb7ee107880bf18dafb1f6d883f8790752634

memory/2416-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2416-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4600-85-0x0000000000920000-0x0000000000950000-memory.dmp

memory/4600-88-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

memory/4600-92-0x00000000011F0000-0x00000000011F6000-memory.dmp

memory/5048-95-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/3152-97-0x0000000002DC0000-0x0000000002DC9000-memory.dmp

memory/4600-98-0x0000000001210000-0x0000000001216000-memory.dmp

memory/4600-96-0x0000000002AE0000-0x0000000002B02000-memory.dmp

memory/3152-100-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/5048-93-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

memory/2416-101-0x0000000000400000-0x00000000006E2000-memory.dmp

memory/2416-102-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2416-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2424-106-0x0000000000400000-0x0000000002CBE000-memory.dmp

memory/3152-109-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/2424-111-0x0000000004950000-0x00000000049ED000-memory.dmp

memory/2424-110-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/4600-108-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

memory/2416-107-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-105-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2416-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5048-91-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/4600-113-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

memory/2416-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2416-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2416-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2416-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurl.dll

MD5 0151c5c4a0ebf14b04ddf243564436d6
SHA1 5bcaf3f5bbcf6229483686d585b1106071b60c4d
SHA256 84fd229f8269a62e61267c8f71d91e25b9ff4f82dfdbb56083c050e2b223e0ab
SHA512 520080e496be6bb744c41e7549b6f250797742245d5bc2097a471be66962ed7ce468c8e076042375a6f443b392a85f19a0e5392638bc14bd08bd405744560d04

C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS89051867\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

MD5 c5abe3656921fd39c96095b1466665ba
SHA1 9cd53bc80295469264a67f0ddce28a2995b8c9e0
SHA256 9bb4b973e6397b54ba211c5bcb24dc1bdf093d0ce3d87fb69e43393ea85ee6de
SHA512 6080524ad8c7851fa397ca56287035b1f57ef4685b100c94404dbe2b9492c780911813f0eccfca3f71b90f7e7b5b9b87587fb07da3a3b9cefc90936692d45315

memory/3408-114-0x00000000012B0000-0x00000000012C6000-memory.dmp

memory/5048-115-0x00000000027A0000-0x00000000027B0000-memory.dmp