Malware Analysis Report

2024-10-19 02:14

Sample ID 231231-hyjgvschfl
Target 2ccaeaf721c1ae29a84714ee5aca4f02
SHA256 088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
Tags
nullmixer privateloader risepro smokeloader vidar 706 pub6 aspackv2 backdoor dropper evasion loader spyware stealer themida trojan zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551

Threat Level: Known bad

The file 2ccaeaf721c1ae29a84714ee5aca4f02 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader risepro smokeloader vidar 706 pub6 aspackv2 backdoor dropper evasion loader spyware stealer themida trojan zgrat rat

PrivateLoader

Vidar

RisePro

SmokeLoader

ZGRat

Detect ZGRat V1

NullMixer

Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

ASPack v2.12-2.42

Reads user/profile data of web browsers

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 07:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 07:08

Reported

2024-01-02 12:22

Platform

win7-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2184 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 240 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe

"C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 27ce46284501.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e9e6055abb695524.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 79d822fc709e78.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b001a8f56.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 2d7080268fee447.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f9a302645.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe

e9e6055abb695524.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe

b001a8f56.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe

f9a302645.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

27ce46284501.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe

20383e5a9a4c5112.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe

2d7080268fee447.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 420

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\3d0c613fcb2403.exe

3d0c613fcb2403.exe

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe

79d822fc709e78.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 956

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
NL 37.0.8.235:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49268 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 thegymmum.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 b1fa27e301c33e5e03a04b8e0342d625
SHA1 2bdd134823a593c71e36f40141d361551c5b51d6
SHA256 7afee80ce49ddb9ecb73d64466e5eb221438e92d5d09bdb1d39bc04890c8cb6a
SHA512 19870e5eda75884b1388ef05b91f3479bd966892e07b62052688d6d304071e314f487f57b255e5a2e7830f47d05c2fa61103290430c5fd5a9524fd35038fb70a

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 cfa223e13a801c92823acfdc0acc5783
SHA1 66ef740e2f027c55c9d4cc24829d0e70f79718b2
SHA256 c85cc97449361d27ee643b0c5cdc64071a78884cb7066bdc915e7a2cc11fc44c
SHA512 0c89f78b5b49371d0a3ec8d4b61e3268dd1a2bc2045777794d7b260341271f3c85677e45f4b4840091c39e05e979a6aeb60c2a4b7a8bbaeca03aedcf6d57d57f

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 b6ff904cb0c6455c5b25e5c0a5ee04ec
SHA1 356f8d22fd037f30c6d05d96144df4ffbfbeec1d
SHA256 9ae8fc63842a9a9205f2990d0e787b6a8c9c684e4772f3b5a273f85c281e5207
SHA512 d3c40dd9bab86778186ed77c4d3e63029b28d84253d030b4c6a0acf2d50528e000c7c2f114e41ef8e29fc3514b82feeecd99c9ea0e5259d613e64eb4734aabc7

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 e4fbd8b239608da88cb94abd73f902da
SHA1 afc541de5a854922084ae92ba3621d02d7c3be9a
SHA256 991881c37add77ad102d0951ff2e582e745dcb76f491fa1310f97f10f585222b
SHA512 bdb46013cfa9f838c98ca42e7e7681b65f852652843e53ec89c3744eaf2d8ff5bafa49341d14e6b0646ad14ad42441f000b45c16836f71e38897db30f91bf6de

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 008b6a28d3e2a2677a128adcf7557ac2
SHA1 3797e16bc2301c8d3834bfe07a5a5b53e350e170
SHA256 449c7992cd5d97c1db1b0b8154d187fb5d84842e9f319de963e49c0a23ce4997
SHA512 864713c5ca630dba0574ae8381baa021c0beab2d1c61aa3ee676342652b7bffb04981bdc57a2c23f1955b2fe11531b4a2240a92b9d8391c3ce5d3ff09f8b1980

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2800-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2800-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 023ff515d733689ba7cc43699fecafe1
SHA1 ccd10556a8ad5305f6fa6a3963bfe7b7eb824fc0
SHA256 6d8a51da67b7faa62b0b9c769e8a9112a602a0b587ba2856876ba4afca4fb804
SHA512 dfe5e8bfbb0b668ab4f52fd090e0d747292cf2274bd8683ad4ca0a64285b410c079bc396ea8c833ab8e2a5ac90a54c47b0c49ace0c252401271e1430fcd04d14

memory/2800-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2800-41-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2800-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 a149356bf80c776978fa63d2b14ea442
SHA1 ca9b0ab4ce0844d586767d43ddb6e6e4b86174c0
SHA256 3e7c380a3e9e8d7b6766784daf04c77b553bfaf877773d59c71ee604c5e612f0
SHA512 168705deb1e0ee497343d8230898ea96514a4ce7fa32d3fa4284c4b92cb4dafda5fdfce12a6f1d8bedc28cbee25673a0a3d816bee3721d6290a9735f6f7a25d0

memory/2800-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 ccfa0c010074f2e604f5e17618cbf439
SHA1 c2f466f7591d24dcd18c501f1699efd15d85c60f
SHA256 c030b0a4cc696dd6381e625b7dd1ba9f92306efcff2fd186afd5eb98c4afae1b
SHA512 5fa4211017069fc33ad9435dc4c62275f1e1cf89c812e7d947b8ea0c1c1c64f74d9f3b6484da13a9a13224550951c1bbc9da7bd831ed278b802253233907dd7e

memory/2800-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2800-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2800-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2800-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2800-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2800-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2800-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\e9e6055abb695524.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\f9a302645.exe

MD5 19d8bee1e02b888281fac68702bea9ae
SHA1 1cdc5114214a6ec8c226aabdf78ab4cbdb9fde64
SHA256 ee63d15520498f546e96b8c8495e73a77cd0aeccb17ba1abd8acc78e1e5ec91c
SHA512 567c5be10f92cd103a182a2cea48c71a8776dfa91bf929a5df718516b5ae5b449341071c68f1f40837c80c794a218cca55638fd359f09f21b5c2ce7e1bdb355a

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\b001a8f56.exe

MD5 fcce864840d6700d71a8d68668d7a538
SHA1 fef82b13a6565e5da4eaf24ce6566c513c6a58fd
SHA256 0d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
SHA512 3f01d5cd486b3394c46896f0d2c9eed1e6e1825c15e729ab357105d562fc0b73e7a7ab69f56107ae3e6941acff5dec43c3bbdda023909723c47547ea2d51d740

memory/860-105-0x0000000001390000-0x0000000001398000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

MD5 a44963b4e553ceda7cb540458f0dd612
SHA1 a09012edc7733f61b6bdcbc5f1df5e8c3d7b6a39
SHA256 bded016fb598004f77299543d1ef7a202c2496d86a57da1ef5ddcc25b2f1d548
SHA512 e26046a05e0b8566b629484bdae20e7b2db1052a7b6f67b6eedfce694545d466e353d60599de221533e0b82598c7df5753c418e2b1f5a204737bc77ad5b033fb

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe

MD5 c27aacb1ef8285f37c7097d2c56e2f89
SHA1 ab9cbe523bb7aea1c9b5fb5f02678bdfec046326
SHA256 b2240d85a7b576f78d1a9e6ffb57da5aee9414b128be0b3250ffab9dd8aee938
SHA512 38c925893e46ac41b337c56456d868b012cdf64879de8c706a20cd9156f81c70ee759c565b0df83f31f3519bfc50602ca3081cefbaa7de60130a14debd1065a8

\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/2388-111-0x0000000002220000-0x0000000002A46000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\79d822fc709e78.exe

MD5 88750c8657b3ab627d439a2c3221eb41
SHA1 f92d4d52207b9283df559300c8fee92daee2543f
SHA256 dff2c2513dd6db13c81b65a88c741e8cbfa4263e9c0a2fbb5400ab79630d111f
SHA512 71d4f0186010b0f369056bd925509f70e355eb20d9696a65be7bc3304bd978db01516be9bcbe460224ee6493b57367bf9d2eb9596792e88ad0986f2d89a1130e

\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

MD5 93480948d180a8940e834b882d9f2242
SHA1 37d1c3e71b8756066f2ebd3fd9268e5943a8c6c7
SHA256 df8ed55ab4b24485cc307eac833bf0463c3e472dff3aa11623eaa798f0a149e4
SHA512 161743f85d2a53aeaa4cae2fe4203b608853abe225bba07d30f893e3fb3dfcb0205af8e4bc07bda8e0ee9ecbbbd77d0a7d4a40ef2239c55e1b38243d390e33b1

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

MD5 aad4cb71d36a4a6008184401818fd8a8
SHA1 be4ea22c1b56b061777999a21d572fa7d4163477
SHA256 62d8d671c2cecb50a2a78bbb9349633669969d10837861ee507ec054aa489d5e
SHA512 14e08694d32f3d7bad608c7c87ddb15d93cc5685986780767f690d1f4ea2bc1a564ab3d7ca5818562bf0e589fc3ce7bd18f7906262ace39245ee4ac446c9901e

memory/2384-112-0x00000000015D0000-0x0000000001DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\3d0c613fcb2403.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

memory/2384-116-0x00000000015D0000-0x0000000001DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\20383e5a9a4c5112.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

memory/3052-118-0x0000000000C50000-0x0000000000C7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 967f46fe258a23a22b2924bdd08c2adb
SHA1 1c147f164a93b66d8fe973b2c6a7c95380a41c63
SHA256 a138b91ceda3d730e24dd0b626f33add29ac4934e6a40ae110baaea70cc82a0d
SHA512 fcc25d827dd6df8b897fe560e469c183b31ffa2abb2cf945e6b38b750813c7238e706b0fc1f109b19e6213325408d6c2b3dda77887d241651e4e64626405956b

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 701dada6b3eb0556f06f4dde8e991f47
SHA1 cb5261becd774340b7c7ca9135e91fbffd1f7386
SHA256 a4f2287c27130ab8219e9d63dc0ea410db4e06b2373a83199476685bc4c5bf2e
SHA512 0bec68af9d29cd3d141d9c4d67f97dd58b1ac668cbbfa6e6f3fab91dcfd2b05e078e968082960e4a672cb7ea8d5e41354e19ed8fd4a4dfb70a1495c7a0ee5a63

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 e91a686ccd5392bf7173fda83b8205fb
SHA1 ad76f6f751fb2bc4e663a661621e67dd748916c2
SHA256 22f38dcf8a633dc29068e83271627dbded8d24757613f0049a76f4265ab0e954
SHA512 18a1d7148ac76b1b34651ab0802f40395a3fbab0828ee8ef735576a368c9cac1f1add12ee0f43dfed61e9f176e3a00fc963f5b2405a07ea8c14cf1f7a46e5693

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\2d7080268fee447.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

C:\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

MD5 64cdb850b4f6ce72130bf5a9f0dc9b70
SHA1 e0839766ad359913e6fd5ad6740bf1f0fccd2f2f
SHA256 6c6442e1319aedd6bbb1170380f0289efbe7b2b378214f088ac59719b9ef8063
SHA512 0512b90899fe69825a1bd5ff3885919941ec99d89607df392d1dbb05098acb3dab1418cc8a3330886824e2873cb5455af86e2364d65fd47d12f9bd40f7a5425b

\Users\Admin\AppData\Local\Temp\7zS88856B46\27ce46284501.exe

MD5 61bc853e9c150d2d208a40cf61eef038
SHA1 87edfc01ee6c34f3f5e7338f52678c68e62fb6c0
SHA256 016622dc30c3e40227fd273cee112d08e91b99dccf209ba5e3a11e9c1f7bc428
SHA512 ffeee17934239e94fa2cf74b21e9c7cff5b64c212abc3a2863746c8bb17d409e9e774a9caa38dc2a075b4ff3c6569d9dd5f97e1e21e772651a9051742b9a7ebe

memory/3052-131-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/3052-132-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

memory/2800-133-0x0000000000400000-0x0000000000C7F000-memory.dmp

memory/2800-135-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2800-136-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2800-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2800-138-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2800-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88856B46\setup_install.exe

MD5 421aa18379c306638731014d2d976fed
SHA1 a77dd256bb90d75b58a20b3a74cbb9a88663ac91
SHA256 4bbd9a6becd5279ed9e7d40049564cb4e9d07eae904532e0ea404e288bd17c42
SHA512 962c30727e958c26e295ae041f1b2e2c1d986634e15107da215a958fcafa2ba49cf7c8a525f4bcdd01e1b6672222105bbb2acb8ea0456f0a27c93380eba65695

memory/1384-141-0x00000000025F0000-0x0000000002606000-memory.dmp

memory/3052-145-0x00000000001D0000-0x00000000001F2000-memory.dmp

memory/1128-140-0x0000000000400000-0x000000000334B000-memory.dmp

memory/3052-147-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/1352-142-0x0000000000400000-0x00000000032F8000-memory.dmp

memory/1352-148-0x00000000034A7000-0x00000000034B7000-memory.dmp

memory/1352-149-0x0000000000240000-0x0000000000249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBD1A.tmp

MD5 d71dff97ca86ca16c3db8bdb5285fb35
SHA1 271c01246897497d069b81ed37af296cf6c1e498
SHA256 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA512 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

memory/2384-161-0x0000000077300000-0x0000000077302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBF7D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1128-171-0x0000000003350000-0x00000000033ED000-memory.dmp

memory/1128-162-0x0000000003490000-0x0000000003590000-memory.dmp

memory/860-160-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

memory/1128-172-0x0000000000400000-0x000000000334B000-memory.dmp

memory/2384-179-0x00000000009B0000-0x00000000011D6000-memory.dmp

memory/860-180-0x0000000000BA0000-0x0000000000C20000-memory.dmp

memory/3052-191-0x000000001AE40000-0x000000001AEC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41491c799aa1aa2dd51b35742a92621b
SHA1 54239338ea1364d2c610804108b344f09ad1a53d
SHA256 2d71dbe6ebb735a8cc284621169e0d8268d3fb2051b37c3dff0b2dabaaaa8e87
SHA512 0c24d23aba28eebbdf833282b2124f36a032e0ffc3aec0e3e4a69d67da0c63c130ec358622e58a9c9e9460b9f872787e20dbe18f4b70fae96eb4182de7030de8

memory/3052-357-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

memory/2388-366-0x0000000002220000-0x0000000002A46000-memory.dmp

memory/2384-367-0x00000000015D0000-0x0000000001DF6000-memory.dmp

memory/860-368-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

memory/1128-369-0x0000000003490000-0x0000000003590000-memory.dmp

memory/2384-378-0x00000000009B0000-0x00000000011D6000-memory.dmp

memory/860-379-0x0000000000BA0000-0x0000000000C20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 07:08

Reported

2024-01-02 12:22

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe

"C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43A27367\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 79d822fc709e78.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\3d0c613fcb2403.exe

3d0c613fcb2403.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1516 -ip 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 572

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\e9e6055abb695524.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43A27367\e9e6055abb695524.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\2d7080268fee447.exe

2d7080268fee447.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\b001a8f56.exe

b001a8f56.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\e9e6055abb695524.exe

e9e6055abb695524.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\20383e5a9a4c5112.exe

20383e5a9a4c5112.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\f9a302645.exe

f9a302645.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\27ce46284501.exe

27ce46284501.exe

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\79d822fc709e78.exe

79d822fc709e78.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b001a8f56.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 2d7080268fee447.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f9a302645.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e9e6055abb695524.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 27ce46284501.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
RU 185.230.143.16:32115 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 g.bing.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
RU 185.230.143.16:32115 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\setup_install.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1516-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1516-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/908-86-0x0000000000770000-0x000000000079E000-memory.dmp

memory/4656-87-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-95-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-99-0x0000000000CF0000-0x0000000001516000-memory.dmp

memory/908-102-0x0000000001080000-0x0000000001086000-memory.dmp

memory/4656-101-0x0000000077D64000-0x0000000077D66000-memory.dmp

memory/4656-105-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-106-0x0000000005D90000-0x0000000005DA2000-memory.dmp

memory/5076-107-0x00007FFE85F50000-0x00007FFE86A11000-memory.dmp

memory/3064-110-0x00000000034A0000-0x00000000035A0000-memory.dmp

memory/4656-112-0x0000000005E30000-0x0000000005E7C000-memory.dmp

memory/4656-109-0x0000000005DF0000-0x0000000005E2C000-memory.dmp

memory/4656-113-0x0000000005FE0000-0x00000000060EA000-memory.dmp

memory/3064-114-0x0000000000400000-0x00000000032F8000-memory.dmp

memory/1516-115-0x0000000000400000-0x0000000000C7F000-memory.dmp

memory/1516-119-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3312-121-0x0000000003470000-0x0000000003570000-memory.dmp

memory/1516-123-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1516-122-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-120-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3312-124-0x0000000000400000-0x000000000334B000-memory.dmp

memory/1516-118-0x0000000064940000-0x0000000064959000-memory.dmp

memory/908-117-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

memory/3312-116-0x0000000003570000-0x000000000360D000-memory.dmp

memory/5076-108-0x000000001ADB0000-0x000000001ADC0000-memory.dmp

memory/4656-104-0x0000000006380000-0x0000000006998000-memory.dmp

memory/3064-103-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/4656-100-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-98-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/908-97-0x0000000000F40000-0x0000000000F62000-memory.dmp

memory/4656-96-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/5076-94-0x0000000000130000-0x0000000000138000-memory.dmp

memory/4656-92-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-89-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/908-91-0x0000000000F30000-0x0000000000F36000-memory.dmp

memory/908-84-0x00007FFE85F50000-0x00007FFE86A11000-memory.dmp

memory/4656-69-0x0000000000CF0000-0x0000000001516000-memory.dmp

memory/1516-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1516-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-37-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1516-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1516-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1516-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1516-33-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1516-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\libgcc_s_dw2-1.dll

MD5 3947561e2e1528a3936ed77810504e80
SHA1 3a6891b73e59bfd230d43791914750cb1a07e126
SHA256 2c6617cde9e29d37e2fe979df0458f0c62303bc233753370a28bef035b91a0dd
SHA512 4bb05f9e36b65a881721bdb7ea4b8249562eb49294999be72e9189dbcb8e8822dc566b21aa61c8773c22211a59d261056746b2c2638a35b3b73d2401505654bc

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\setup_install.exe

MD5 d8dcfb8e373415bffbb369560e7be978
SHA1 c12141f38d0876a4a98b93c8acddd1a66a3088ae
SHA256 39eac12f59a6cd91ac5750ccf59608d0009fcccd9515c06a7f0c05149289e564
SHA512 175e9f2f9183ef4a946d2ac8fef6a71c76e00f92c71793091bc62f64906b2f419ba54b8a76e4c8e91a3515b25ef92899bbecc9e8d0e8bef34bcd6102d2749e3e

C:\Users\Admin\AppData\Local\Temp\7zS43A27367\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/4656-133-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/4656-132-0x0000000076E10000-0x0000000076F00000-memory.dmp

memory/5076-137-0x000000001ADB0000-0x000000001ADC0000-memory.dmp

memory/4656-138-0x0000000076E10000-0x0000000076F00000-memory.dmp