Malware Analysis Report

2024-10-19 02:13

Sample ID 231231-gpftyacgh8
Target 2aedfa0dfb06ef02b268ec62486e6f80
SHA256 bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
Tags
cryptbot nullmixer redline sectoprat smokeloader vidar 706 pab3 pub5 aspackv2 backdoor discovery dropper infostealer persistence rat spyware stealer trojan privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95

Threat Level: Known bad

The file 2aedfa0dfb06ef02b268ec62486e6f80 was found to be: Known bad.

Malicious Activity Summary

cryptbot nullmixer redline sectoprat smokeloader vidar 706 pab3 pub5 aspackv2 backdoor discovery dropper infostealer persistence rat spyware stealer trojan privateloader loader

RedLine payload

SmokeLoader

CryptBot payload

NullMixer

CryptBot

PrivateLoader

Vidar

SectopRAT

RedLine

SectopRAT payload

Vidar Stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

ASPack v2.12-2.42

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:58

Reported

2024-01-05 17:57

Platform

win7-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NullMixer

dropper nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1244 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2148 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 1812 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe
PID 2824 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe

"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue165b45f01bf.exe

Tue165b45f01bf.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue166801dd1c.exe

Tue166801dd1c.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16c3a7ed6a67.exe

Tue16c3a7ed6a67.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16b2aff6f6632f.exe

Tue16b2aff6f6632f.exe

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Vai.pdf

C:\Windows\SysWOW64\PING.EXE

ping SFVRQGEO -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com

Volevo.exe.com H

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1619562504c6402.exe

Tue1619562504c6402.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue1643024cec44eb6.exe

Tue1643024cec44eb6.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16dbd9f0964.exe

Tue16dbd9f0964.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue168468791c.exe

Tue168468791c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\Tue16fdfa6cf2ae0.exe

Tue16fdfa6cf2ae0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue168468791c.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 432

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 948

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 OpPyugYrdcCwUjnxmGFtZLvIhtD.OpPyugYrdcCwUjnxmGFtZLvIhtD udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 pcfixmy-download-96.xyz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
RU 185.215.113.15:61506 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.18:443 lenak513.tumblr.com tcp
NL 37.0.8.235:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 aucmoney.com udp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 thegymmum.com udp
RU 185.215.113.15:61506 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 kuapakualaman.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 knurxh28.top udp
US 8.8.8.8:53 nasufmutlu.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.215.113.15:61506 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.215.113.15:61506 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.215.113.15:61506 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49284 tcp
N/A 127.0.0.1:49286 tcp
RU 185.215.113.15:61506 tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2ece127c2ec745fc1cd46012da3f6d66
SHA1 172ca20766febe8c2f8bd4812466de3c3d0f0e31
SHA256 5d2480c8d19a612b55b0e2fd71466ec8e10a3d8666f9b61494a10b361c62b062
SHA512 ec945fd8a900b9e5a4f9967975df3e6b2bca131488b223f829384eb3338fc0b5109f15ec10573174cb3fa1993ea07c3e6bb28bb8551e3a92dc996bb987ff5f02

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 ba7363cf29d36dbca8a2e30ee3a681cb
SHA1 6e1bcaa49bff83744818fbf4a43570b2dc9efba3
SHA256 048a7d8f99be0d38da7c74188f5893db6e89646b30014d6701b528566fdf1371
SHA512 35351d56ed687ceea2f18c4304125cc2d8e2565313287fc5c980b4d42209b65c0e2a080d37769ccb1be24adad801810004b43aae8fc154c829f88581e2281ab8

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 6704eb8895bb417cb1cccb479cc5672e
SHA1 685aecc08cb369b7d8f6a1f60f61f22565eb9314
SHA256 470e8ec30a9e28bc99e991b2b25f5ac13c12d949361db149e58bb0aa2489cf25
SHA512 14b0aa8314e3db2899bd87c45ae14a1a44d30e70b02cb1b453c6900c21f559fa3af41ea1511e7019112716ef204d856cae94c27cb5a813555f8ab31676b32871

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 8110444f5679006728e049da671dea26
SHA1 91693a83172524af60b3dc25a2f1b543aee8de5f
SHA256 77e73ae69cbfe9c3bd902a1a53f2b40a304444e1dc89652464b7b7ca1e6fcf5b
SHA512 bfcbe022a24d31716ebb5b8b7c7cf010c60cd3ad6c538058fcde39ff2ae75981f9bdac64890862a528f62972c8f318cefebe52e7471fa5bf65e6f5fd0dd27bfc

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 e03e85e32bf29dd7bf9a7b29f650dcaf
SHA1 be8e9b92d6669a0106211e0ef097d34b18064d60
SHA256 9d099c1b2062d5879e1f2b175794f1122213cb7f6afd759d089c4b01fea18eb3
SHA512 5a70f7d1f5da8cd39105cced038ec6f0bff55e3e0d5795b17631308c53383f74ee98dd837779c915b8b2d9b80604b79d064127a6b91c38a1c0912f65229ceaa1

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 7a0d0e10337b5fd6a1d698fd0c7b8913
SHA1 2aa561f75d3b08ad1af0403fb583522baeed9bd7
SHA256 e1eeb5511793c9174cee5888b43eec0b487d93358bac5385ded1341bc5f539b1
SHA512 a505a50c07833a610b81b8eb86c0ebc4f9e7a89733e592cbf78fbe8f02756f00cf5069b0ef835d9772488fee2dddd33c3f6b01a1c55f7082298e3d7601273f10

\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

MD5 a6209722759997ac8aa3db612ade10ea
SHA1 a9f2a89e388abe9b45627a365a9ba21358d5082c
SHA256 557750ca1516461fda0f0fe0051a8a59f24efb50c04640fdfafbdb3834b845aa
SHA512 8ae45e8e8613a4806090c8077b942dc6332858c97c1048561e2843b326ad5e96299937deabbbf78025736c6fe3664b44a239ba873d54b769025debdaa0eadfe8

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

MD5 09715e63b0f201fce0fe2e1a3f09d887
SHA1 8646e5e3782b48239cfcc8c6d8a22fb6341b7646
SHA256 058d55f5a4da05259682b45166488acde6c3f228e39a0cf3a96cd4a3f4094f9c
SHA512 b66b8efa68b8270a8823261a88e06a5ef8a4f03f03c8af02cc926d839fdad43b7df6aed19af3ddff9cbd68234ffd3509b81d74f7bf223e53fb173d40d50e3174

memory/2824-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2824-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2824-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2824-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1156-136-0x0000000000050000-0x000000000007C000-memory.dmp

memory/1672-137-0x0000000004880000-0x00000000048A2000-memory.dmp

memory/1156-144-0x0000000000180000-0x0000000000186000-memory.dmp

memory/1672-147-0x0000000002CE0000-0x0000000002D0F000-memory.dmp

memory/2460-150-0x0000000003230000-0x00000000032CD000-memory.dmp

memory/2460-149-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/1924-152-0x0000000073240000-0x00000000737EB000-memory.dmp

memory/1672-151-0x00000000049D0000-0x00000000049F0000-memory.dmp

memory/1156-148-0x00000000001B0000-0x00000000001B6000-memory.dmp

memory/1232-146-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

memory/1156-145-0x0000000000190000-0x00000000001B2000-memory.dmp

memory/1672-153-0x0000000000400000-0x0000000002CD3000-memory.dmp

memory/1232-120-0x0000000000A50000-0x0000000000A58000-memory.dmp

memory/1924-161-0x0000000073240000-0x00000000737EB000-memory.dmp

memory/1912-165-0x0000000000260000-0x0000000000269000-memory.dmp

memory/1672-186-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/1672-188-0x0000000007610000-0x0000000007650000-memory.dmp

memory/1232-187-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/1156-185-0x000000001B010000-0x000000001B090000-memory.dmp

memory/1912-184-0x0000000000400000-0x00000000023AC000-memory.dmp

memory/1912-164-0x0000000002810000-0x0000000002910000-memory.dmp

memory/1156-163-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

memory/2460-162-0x0000000000400000-0x0000000002D1A000-memory.dmp

memory/2824-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2824-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2824-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2824-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2824-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2824-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2824-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2824-71-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2824-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2824-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS46829F36\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

MD5 54fc337115e32de7540b16c30500f3d8
SHA1 9a4eb9c3752efd26e88e022c40aca59b0e13fc87
SHA256 a2d3df4a4790591670440fb94a03042422b04f6651c83d1f6223cd12c5c1f804
SHA512 d468d265127905e466779b8f50341d9f3e9ae4bf95c0f93f3004287373b306004ae13210ce02f2bd0dae77694a4ba24a52449d2e43e9d10521b10ace84bcfdc1

\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

MD5 dca239b7e656c12e35e521ca8ffbf446
SHA1 407bfc0c4af2f50e869b3e867d6967e715aab583
SHA256 7724430d2607be34f80bd8755338220aac47ae7e6d8e15771b4c85a2d73a3df7
SHA512 4221428cf43c89cdd1745682092d3bda089bea13f5859b5c63bd3f21fc1464323d84573d691b39f00600ecbc49a56cbfb21d2084b296414a38d6619ea5cd5070

\Users\Admin\AppData\Local\Temp\7zS46829F36\setup_install.exe

MD5 2de1749b1fdd76fd0e056846bf27400f
SHA1 4d5b5fcd89041b9f421dc73ed7c30a0095b2793d
SHA256 f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0
SHA512 06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf

memory/1208-302-0x0000000004200000-0x0000000004216000-memory.dmp

memory/1912-303-0x0000000000400000-0x00000000023AC000-memory.dmp

memory/1156-368-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

memory/2824-369-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2824-370-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2824-371-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2824-373-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2824-374-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2824-372-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2460-376-0x0000000000400000-0x0000000002D1A000-memory.dmp

memory/452-379-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-378-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-377-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-380-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-382-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-383-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-381-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/1232-395-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

memory/2460-396-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/1672-397-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/1232-398-0x000000001B170000-0x000000001B1F0000-memory.dmp

memory/1672-399-0x0000000007610000-0x0000000007650000-memory.dmp

memory/452-408-0x0000000003D40000-0x0000000003DE3000-memory.dmp

memory/452-644-0x0000000003D40000-0x0000000003DE3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:58

Reported

2024-01-05 17:57

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1880 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1880 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 904 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
PID 904 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
PID 904 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
PID 1620 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe
PID 3888 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe
PID 4940 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe
PID 4940 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe
PID 3208 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
PID 3208 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
PID 3208 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
PID 352 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 352 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 352 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 4668 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
PID 4668 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
PID 4668 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
PID 2608 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
PID 2608 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
PID 2608 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
PID 1292 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe
PID 1292 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe
PID 4568 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
PID 4568 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
PID 4568 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
PID 4968 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
PID 4968 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
PID 4968 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
PID 648 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 648 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 648 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
PID 4960 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe

"C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue168468791c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe

Tue165b45f01bf.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe

Tue168468791c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe

Tue16dbd9f0964.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe

Tue166801dd1c.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe

Tue16c3a7ed6a67.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe

Tue1643024cec44eb6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe

Tue16fdfa6cf2ae0.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe

Tue1619562504c6402.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe

Tue16b2aff6f6632f.exe

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe" -a

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
N/A 127.0.0.1:54746 tcp
N/A 127.0.0.1:54752 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 168c8427a56ee01d0a79504e3dcbd3b2
SHA1 6cddb30ed601bd45d14a0ec04be1aa6fe1fddde1
SHA256 962c871c4fc7f41cecd20d3dfc5bba758b1995afaf8ccd2cde99fc81d2c975cf
SHA512 95c952a79c2ebb4ca2ed30e213620b6feafcea10bdb785ea2274f8163f763cbb3b1ab2c084aefd044b360963ab287617896ec81a66598abce1dca79d5236fde0

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe

MD5 2de1749b1fdd76fd0e056846bf27400f
SHA1 4d5b5fcd89041b9f421dc73ed7c30a0095b2793d
SHA256 f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0
SHA512 06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1620-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1620-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1620-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-64-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1620-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1620-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1620-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1620-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe

MD5 0191b0583174ce0d1d8dc75601e4d056
SHA1 ec3cbf979a5df64903cb7a825aa640d82075d839
SHA256 01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949
SHA512 d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe

MD5 14f5b34619838749e514ad17e69443ea
SHA1 98e8019077163dc3f42e48c7aba48b312cb6eef7
SHA256 92c43f1a70140426e05b5164d986dca73bf041dc5dae80bd47244cb695d7c0ac
SHA512 4889cb4a7b64fc0536b4de62d5901c526e4a570f40d7c4addeacadb83b89e4284567a3256fd59cca01dbc06a2ebcadaa7ff05fd0573632b23a0a977404d1a162

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe

MD5 45a47d815f2291bc7fc0112d36aaad83
SHA1 db1dc02b2d64c4c3db89b5df3124dd87d43059d5
SHA256 416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f
SHA512 a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe

MD5 64be7ccaa252abfd99ecf77bc8cce4d5
SHA1 9a9633c3cd6b394d149982021e008da3ceb64be0
SHA256 d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c
SHA512 392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe

MD5 e8dd2c2b42ddc701b1e2c34cc1fe99b1
SHA1 c3751581986d6cada60747843792d286fd671657
SHA256 835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17
SHA512 e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe

MD5 6e40b89081774de12a74f2ac50390614
SHA1 c450e401fe8da4dae21c804d3c311e3ffc5ec825
SHA256 db0161ec8bdde73cce38b6f7047e37f59f3ac8adfe95611ec1171491f17c011d
SHA512 6d86256a42a8d77f17b6b09e947ff922a0edf833695b7d1de912ac1178aeb6c4b18b644f36d7d2a77c7a57c1e0bb7aca7f0a73bfe37c92c236fd1efebfd45313

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe

MD5 af23965c3e2673940b70f436bb45f766
SHA1 ccc8b03ea8c568f1b333458cff3f156898fc29f7
SHA256 e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503
SHA512 f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1620-84-0x0000000000400000-0x000000000051B000-memory.dmp

memory/1620-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1620-87-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1620-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1644-89-0x0000000000800000-0x0000000000808000-memory.dmp

memory/1620-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2812-103-0x00000000002E0000-0x000000000030C000-memory.dmp

memory/2812-104-0x00000000008A0000-0x00000000008A6000-memory.dmp

memory/1620-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1620-106-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5088-107-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/1644-108-0x000000001B3B0000-0x000000001B3B2000-memory.dmp