Analysis Overview
SHA256
bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
Threat Level: Known bad
The file 2aedfa0dfb06ef02b268ec62486e6f80 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SmokeLoader
CryptBot payload
NullMixer
CryptBot
PrivateLoader
Vidar
SectopRAT
RedLine
SectopRAT payload
Vidar Stealer
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
ASPack v2.12-2.42
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Enumerates physical storage devices
Program crash
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 05:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 05:58
Reported
2024-01-05 17:57
Platform
win7-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NullMixer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe
"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe
Tue165b45f01bf.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe
Tue166801dd1c.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe
Tue16c3a7ed6a67.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe
Tue16b2aff6f6632f.exe
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Vai.pdf
C:\Windows\SysWOW64\PING.EXE
ping SFVRQGEO -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
Volevo.exe.com H
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exe
Tue1619562504c6402.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe
Tue1643024cec44eb6.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe
Tue16dbd9f0964.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue168468791c.exe
Tue168468791c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
Tue16fdfa6cf2ae0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue168468791c.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 432
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 948
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | pcfixmy-download-96.xyz | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| RU | 185.215.113.15:61506 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| NL | 37.0.8.235:80 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | aucmoney.com | udp |
| NL | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | thegymmum.com | udp |
| RU | 185.215.113.15:61506 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | atvcampingtrips.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | kuapakualaman.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | renatazarazua.com | udp |
| US | 8.8.8.8:53 | knurxh28.top | udp |
| US | 8.8.8.8:53 | nasufmutlu.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| NL | 212.193.30.115:80 | tcp | |
| US | 3.20.137.44:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| RU | 185.215.113.15:61506 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| RU | 185.215.113.15:61506 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| RU | 185.215.113.15:61506 | tcp | |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49286 | tcp | |
| RU | 185.215.113.15:61506 | tcp | |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 2ece127c2ec745fc1cd46012da3f6d66 |
| SHA1 | 172ca20766febe8c2f8bd4812466de3c3d0f0e31 |
| SHA256 | 5d2480c8d19a612b55b0e2fd71466ec8e10a3d8666f9b61494a10b361c62b062 |
| SHA512 | ec945fd8a900b9e5a4f9967975df3e6b2bca131488b223f829384eb3338fc0b5109f15ec10573174cb3fa1993ea07c3e6bb28bb8551e3a92dc996bb987ff5f02 |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | ba7363cf29d36dbca8a2e30ee3a681cb |
| SHA1 | 6e1bcaa49bff83744818fbf4a43570b2dc9efba3 |
| SHA256 | 048a7d8f99be0d38da7c74188f5893db6e89646b30014d6701b528566fdf1371 |
| SHA512 | 35351d56ed687ceea2f18c4304125cc2d8e2565313287fc5c980b4d42209b65c0e2a080d37769ccb1be24adad801810004b43aae8fc154c829f88581e2281ab8 |
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 6704eb8895bb417cb1cccb479cc5672e |
| SHA1 | 685aecc08cb369b7d8f6a1f60f61f22565eb9314 |
| SHA256 | 470e8ec30a9e28bc99e991b2b25f5ac13c12d949361db149e58bb0aa2489cf25 |
| SHA512 | 14b0aa8314e3db2899bd87c45ae14a1a44d30e70b02cb1b453c6900c21f559fa3af41ea1511e7019112716ef204d856cae94c27cb5a813555f8ab31676b32871 |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 8110444f5679006728e049da671dea26 |
| SHA1 | 91693a83172524af60b3dc25a2f1b543aee8de5f |
| SHA256 | 77e73ae69cbfe9c3bd902a1a53f2b40a304444e1dc89652464b7b7ca1e6fcf5b |
| SHA512 | bfcbe022a24d31716ebb5b8b7c7cf010c60cd3ad6c538058fcde39ff2ae75981f9bdac64890862a528f62972c8f318cefebe52e7471fa5bf65e6f5fd0dd27bfc |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | e03e85e32bf29dd7bf9a7b29f650dcaf |
| SHA1 | be8e9b92d6669a0106211e0ef097d34b18064d60 |
| SHA256 | 9d099c1b2062d5879e1f2b175794f1122213cb7f6afd759d089c4b01fea18eb3 |
| SHA512 | 5a70f7d1f5da8cd39105cced038ec6f0bff55e3e0d5795b17631308c53383f74ee98dd837779c915b8b2d9b80604b79d064127a6b91c38a1c0912f65229ceaa1 |
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 7a0d0e10337b5fd6a1d698fd0c7b8913 |
| SHA1 | 2aa561f75d3b08ad1af0403fb583522baeed9bd7 |
| SHA256 | e1eeb5511793c9174cee5888b43eec0b487d93358bac5385ded1341bc5f539b1 |
| SHA512 | a505a50c07833a610b81b8eb86c0ebc4f9e7a89733e592cbf78fbe8f02756f00cf5069b0ef835d9772488fee2dddd33c3f6b01a1c55f7082298e3d7601273f10 |
\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
| MD5 | a6209722759997ac8aa3db612ade10ea |
| SHA1 | a9f2a89e388abe9b45627a365a9ba21358d5082c |
| SHA256 | 557750ca1516461fda0f0fe0051a8a59f24efb50c04640fdfafbdb3834b845aa |
| SHA512 | 8ae45e8e8613a4806090c8077b942dc6332858c97c1048561e2843b326ad5e96299937deabbbf78025736c6fe3664b44a239ba873d54b769025debdaa0eadfe8 |
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
| MD5 | 09715e63b0f201fce0fe2e1a3f09d887 |
| SHA1 | 8646e5e3782b48239cfcc8c6d8a22fb6341b7646 |
| SHA256 | 058d55f5a4da05259682b45166488acde6c3f228e39a0cf3a96cd4a3f4094f9c |
| SHA512 | b66b8efa68b8270a8823261a88e06a5ef8a4f03f03c8af02cc926d839fdad43b7df6aed19af3ddff9cbd68234ffd3509b81d74f7bf223e53fb173d40d50e3174 |
memory/2824-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2824-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2824-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2824-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1156-136-0x0000000000050000-0x000000000007C000-memory.dmp
memory/1672-137-0x0000000004880000-0x00000000048A2000-memory.dmp
memory/1156-144-0x0000000000180000-0x0000000000186000-memory.dmp
memory/1672-147-0x0000000002CE0000-0x0000000002D0F000-memory.dmp
memory/2460-150-0x0000000003230000-0x00000000032CD000-memory.dmp
memory/2460-149-0x00000000002C0000-0x00000000003C0000-memory.dmp
memory/1924-152-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1672-151-0x00000000049D0000-0x00000000049F0000-memory.dmp
memory/1156-148-0x00000000001B0000-0x00000000001B6000-memory.dmp
memory/1232-146-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
memory/1156-145-0x0000000000190000-0x00000000001B2000-memory.dmp
memory/1672-153-0x0000000000400000-0x0000000002CD3000-memory.dmp
memory/1232-120-0x0000000000A50000-0x0000000000A58000-memory.dmp
memory/1924-161-0x0000000073240000-0x00000000737EB000-memory.dmp
memory/1912-165-0x0000000000260000-0x0000000000269000-memory.dmp
memory/1672-186-0x0000000002E90000-0x0000000002F90000-memory.dmp
memory/1672-188-0x0000000007610000-0x0000000007650000-memory.dmp
memory/1232-187-0x000000001B170000-0x000000001B1F0000-memory.dmp
memory/1156-185-0x000000001B010000-0x000000001B090000-memory.dmp
memory/1912-184-0x0000000000400000-0x00000000023AC000-memory.dmp
memory/1912-164-0x0000000002810000-0x0000000002910000-memory.dmp
memory/1156-163-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
memory/2460-162-0x0000000000400000-0x0000000002D1A000-memory.dmp
memory/2824-81-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2824-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2824-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2824-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2824-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2824-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2824-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2824-71-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2824-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2824-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS46829F36\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
| MD5 | 54fc337115e32de7540b16c30500f3d8 |
| SHA1 | 9a4eb9c3752efd26e88e022c40aca59b0e13fc87 |
| SHA256 | a2d3df4a4790591670440fb94a03042422b04f6651c83d1f6223cd12c5c1f804 |
| SHA512 | d468d265127905e466779b8f50341d9f3e9ae4bf95c0f93f3004287373b306004ae13210ce02f2bd0dae77694a4ba24a52449d2e43e9d10521b10ace84bcfdc1 |
\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
| MD5 | dca239b7e656c12e35e521ca8ffbf446 |
| SHA1 | 407bfc0c4af2f50e869b3e867d6967e715aab583 |
| SHA256 | 7724430d2607be34f80bd8755338220aac47ae7e6d8e15771b4c85a2d73a3df7 |
| SHA512 | 4221428cf43c89cdd1745682092d3bda089bea13f5859b5c63bd3f21fc1464323d84573d691b39f00600ecbc49a56cbfb21d2084b296414a38d6619ea5cd5070 |
\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
| MD5 | 2de1749b1fdd76fd0e056846bf27400f |
| SHA1 | 4d5b5fcd89041b9f421dc73ed7c30a0095b2793d |
| SHA256 | f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0 |
| SHA512 | 06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf |
memory/1208-302-0x0000000004200000-0x0000000004216000-memory.dmp
memory/1912-303-0x0000000000400000-0x00000000023AC000-memory.dmp
memory/1156-368-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
memory/2824-369-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2824-370-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2824-371-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2824-373-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2824-374-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2824-372-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2460-376-0x0000000000400000-0x0000000002D1A000-memory.dmp
memory/452-379-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-378-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-377-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-380-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-382-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-383-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-381-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/1232-395-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
memory/2460-396-0x00000000002C0000-0x00000000003C0000-memory.dmp
memory/1672-397-0x0000000002E90000-0x0000000002F90000-memory.dmp
memory/1232-398-0x000000001B170000-0x000000001B1F0000-memory.dmp
memory/1672-399-0x0000000007610000-0x0000000007650000-memory.dmp
memory/452-408-0x0000000003D40000-0x0000000003DE3000-memory.dmp
memory/452-644-0x0000000003D40000-0x0000000003DE3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 05:58
Reported
2024-01-05 17:57
Platform
win10v2004-20231215-en
Max time kernel
155s
Max time network
164s
Command Line
Signatures
NullMixer
PrivateLoader
SmokeLoader
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe
"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue168468791c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe
Tue165b45f01bf.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe
Tue168468791c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
Tue16dbd9f0964.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
Tue166801dd1c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe
Tue16c3a7ed6a67.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
Tue1643024cec44eb6.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
Tue16fdfa6cf2ae0.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
Tue1619562504c6402.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
Tue16b2aff6f6632f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe" -a
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:54746 | tcp | |
| N/A | 127.0.0.1:54752 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.96.141.3.in-addr.arpa | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | live.goatgame.live | tcp |
| US | 3.141.96.53:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 168c8427a56ee01d0a79504e3dcbd3b2 |
| SHA1 | 6cddb30ed601bd45d14a0ec04be1aa6fe1fddde1 |
| SHA256 | 962c871c4fc7f41cecd20d3dfc5bba758b1995afaf8ccd2cde99fc81d2c975cf |
| SHA512 | 95c952a79c2ebb4ca2ed30e213620b6feafcea10bdb785ea2274f8163f763cbb3b1ab2c084aefd044b360963ab287617896ec81a66598abce1dca79d5236fde0 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
| MD5 | 2de1749b1fdd76fd0e056846bf27400f |
| SHA1 | 4d5b5fcd89041b9f421dc73ed7c30a0095b2793d |
| SHA256 | f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0 |
| SHA512 | 06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1620-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1620-61-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1620-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1620-64-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1620-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1620-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1620-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1620-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1620-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1620-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1620-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1620-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1620-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
| MD5 | 0191b0583174ce0d1d8dc75601e4d056 |
| SHA1 | ec3cbf979a5df64903cb7a825aa640d82075d839 |
| SHA256 | 01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949 |
| SHA512 | d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe
| MD5 | 14f5b34619838749e514ad17e69443ea |
| SHA1 | 98e8019077163dc3f42e48c7aba48b312cb6eef7 |
| SHA256 | 92c43f1a70140426e05b5164d986dca73bf041dc5dae80bd47244cb695d7c0ac |
| SHA512 | 4889cb4a7b64fc0536b4de62d5901c526e4a570f40d7c4addeacadb83b89e4284567a3256fd59cca01dbc06a2ebcadaa7ff05fd0573632b23a0a977404d1a162 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe
| MD5 | 45a47d815f2291bc7fc0112d36aaad83 |
| SHA1 | db1dc02b2d64c4c3db89b5df3124dd87d43059d5 |
| SHA256 | 416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f |
| SHA512 | a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
| MD5 | 64be7ccaa252abfd99ecf77bc8cce4d5 |
| SHA1 | 9a9633c3cd6b394d149982021e008da3ceb64be0 |
| SHA256 | d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c |
| SHA512 | 392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
| MD5 | e8dd2c2b42ddc701b1e2c34cc1fe99b1 |
| SHA1 | c3751581986d6cada60747843792d286fd671657 |
| SHA256 | 835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17 |
| SHA512 | e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
| MD5 | 6e40b89081774de12a74f2ac50390614 |
| SHA1 | c450e401fe8da4dae21c804d3c311e3ffc5ec825 |
| SHA256 | db0161ec8bdde73cce38b6f7047e37f59f3ac8adfe95611ec1171491f17c011d |
| SHA512 | 6d86256a42a8d77f17b6b09e947ff922a0edf833695b7d1de912ac1178aeb6c4b18b644f36d7d2a77c7a57c1e0bb7aca7f0a73bfe37c92c236fd1efebfd45313 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
| MD5 | af23965c3e2673940b70f436bb45f766 |
| SHA1 | ccc8b03ea8c568f1b333458cff3f156898fc29f7 |
| SHA256 | e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503 |
| SHA512 | f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611 |
C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1620-84-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1620-86-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1620-87-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1620-88-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1644-89-0x0000000000800000-0x0000000000808000-memory.dmp
memory/1620-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2812-103-0x00000000002E0000-0x000000000030C000-memory.dmp
memory/2812-104-0x00000000008A0000-0x00000000008A6000-memory.dmp
memory/1620-105-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1620-106-0x0000000064940000-0x0000000064959000-memory.dmp
memory/5088-107-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/1644-108-0x000000001B3B0000-0x000000001B3B2000-memory.dmp