Malware Analysis Report

2024-10-19 02:13

Sample ID 231226-qh36bshfc9
Target 718b5089505fed92d1a44dc0dbeb36dc
SHA256 df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
Tags
nullmixer smokeloader vidar 706 pub5 aspackv2 backdoor dropper stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056

Threat Level: Known bad

The file 718b5089505fed92d1a44dc0dbeb36dc was found to be: Known bad.

Malicious Activity Summary

nullmixer smokeloader vidar 706 pub5 aspackv2 backdoor dropper stealer trojan

Vidar

NullMixer

SmokeLoader

Vidar Stealer

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 13:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 13:16

Reported

2024-01-06 15:22

Platform

win7-20231215-en

Max time kernel

2s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2380 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2892 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
PID 2176 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe

"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe

sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

Triste.exe.com n

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe

sonia_6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 408

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe

sonia_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe

sonia_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 XvFGsHKHPpgkvS.XvFGsHKHPpgkvS udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 pcfixmy-download-96.xyz udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 shpak125.tumblr.com udp
US 74.114.154.18:443 shpak125.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 file.ekkggr3.com udp
US 8.8.8.8:53 www.invch.com udp
US 8.8.8.8:53 pplzy.pw udp
US 8.8.8.8:53 eurekabike.com udp
US 8.8.8.8:53 g-farlab.com udp
UA 194.145.227.159:80 tcp
RU 193.56.146.36:80 tcp
NL 160.153.249.159:443 eurekabike.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp
NL 136.144.41.201:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.20.137.44:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
N/A 127.0.0.1:49272 tcp
N/A 127.0.0.1:49274 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

memory/2380-37-0x0000000003000000-0x000000000311D000-memory.dmp

memory/2820-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2820-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2820-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2820-76-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2596-125-0x0000000000B30000-0x0000000000B56000-memory.dmp

memory/2596-139-0x0000000000250000-0x000000000026E000-memory.dmp

memory/816-146-0x0000000000680000-0x0000000000780000-memory.dmp

memory/2596-150-0x000000001AEB0000-0x000000001AF30000-memory.dmp

memory/1440-149-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/816-148-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/816-147-0x0000000002270000-0x000000000230D000-memory.dmp

memory/1440-145-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1440-144-0x0000000000250000-0x0000000000259000-memory.dmp

memory/2596-143-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2820-75-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-74-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-73-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-72-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-70-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2820-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2820-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2820-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2820-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2820-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2820-59-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2820-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2820-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2820-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2820-54-0x0000000000400000-0x000000000051D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe

MD5 8dd627e3bf524f445114ab78b075f31e
SHA1 6b273b5e9e528d0629e45e28239c8f56bee42469
SHA256 91794d66023b7104370d8efabb5c7638c6d4ce4a1cdb070b71142f421d6b3f2c
SHA512 6b1c66bab60a9fb3affe2fcf7b5cec5dbc0f784f11884a78659fcb2a25350cedc989ef8bcadbc2700b959d3dd0e7f29570a10eb16febfc6c1efe229135d70c02

\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe

MD5 b4a67b6fec9465dd0ec68dd89161871b
SHA1 96e7f9107283b6bb16a32cfcef54cee69f60fd12
SHA256 44bca303abba91a91aae37648d0ed6de6fac5260be3e28eb1a2decd7a6f01aff
SHA512 a7f6c7832537e9a693f672416cfe5e1e3de7d2fd13a6078976154f75d542fdaaf00e417e7e65b7e5609c30807ba99e969f6dbc42229c1e6e3ddbfd5aed5f2565

\Users\Admin\AppData\Local\Temp\7zSC4958226\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2820-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC4958226\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC4958226\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC4958226\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC4958226\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2380-38-0x0000000003000000-0x000000000311D000-memory.dmp

memory/1440-247-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1212-246-0x0000000002DC0000-0x0000000002DD5000-memory.dmp

memory/2596-281-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2820-321-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2820-323-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2820-324-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2820-325-0x0000000064940000-0x0000000064959000-memory.dmp

memory/816-327-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2820-326-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2820-322-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/628-331-0x0000000000090000-0x0000000000098000-memory.dmp

memory/628-339-0x0000000000090000-0x0000000000098000-memory.dmp

memory/628-337-0x0000000000090000-0x0000000000098000-memory.dmp

memory/628-334-0x0000000000090000-0x0000000000098000-memory.dmp

memory/628-333-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/816-347-0x0000000000680000-0x0000000000780000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 13:16

Reported

2024-01-06 15:22

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"

Signatures

NullMixer

dropper nullmixer

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe

"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\setup_install.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_3.exe

sonia_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_5.exe

sonia_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe

sonia_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_6.exe

sonia_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_7.exe

sonia_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_1.exe" -a

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com

Triste.exe.com n

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_4.exe

sonia_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C988377\sonia_2.exe

sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sonia_1.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 pcfixmy-download-96.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 XvFGsHKHPpgkvS.XvFGsHKHPpgkvS udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 53.96.141.3.in-addr.arpa udp
NL 37.0.8.235:80 tcp
US 8.8.8.8:53 shpak125.tumblr.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 74.114.154.22:443 shpak125.tumblr.com tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 104.21.4.208:443 iplogger.org tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 s.lletlee.com udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 136.144.41.201:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
NL 212.193.30.115:80 tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp
US 3.141.96.53:443 live.goatgame.live tcp

Files

memory/4760-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4760-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4760-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4760-62-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3512-80-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

memory/3512-81-0x0000000002A20000-0x0000000002A3E000-memory.dmp

memory/3512-86-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/3512-78-0x0000000000A90000-0x0000000000AB6000-memory.dmp

memory/740-96-0x0000000000530000-0x0000000000630000-memory.dmp

memory/1088-100-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1088-101-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1088-99-0x0000000002170000-0x000000000220D000-memory.dmp

memory/740-98-0x0000000000400000-0x000000000046C000-memory.dmp

memory/740-97-0x00000000004B0000-0x00000000004B9000-memory.dmp

memory/4760-61-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-60-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-59-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-58-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-57-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4760-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3512-116-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

memory/4760-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4760-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4760-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4760-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4760-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4760-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4760-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4760-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4760-32-0x0000000000400000-0x000000000051D000-memory.dmp

memory/740-123-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4760-124-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1088-130-0x0000000002170000-0x000000000220D000-memory.dmp

memory/1088-129-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/4760-128-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4760-126-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4760-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4760-138-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4760-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp