Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-02-03...ch.exe

windows7-x64

10

2025-02-03...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2025, 01:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe

  • Size

    4.6MB

  • MD5

    ac096bb96571bc19729743513e206d6c

  • SHA1

    8d55c52e5a2ac82f0fb2f1d36ad6c599897218c9

  • SHA256

    43f3820f0f725b537a3d01b1b80b58cb6696a7cf303998bac340670792910c1e

  • SHA512

    480df7dcd43b5a2b81102201ae16a4a0260093bc3feeb3f973faa6779450149b81fd7464a208545af15b9f4cfcf37a49f86b4ceff072ce8e744dac0e39fa36e2

  • SSDEEP

    49152:VuCfqCO438izFQu4+uCtIETopo+jl5LPYiVjOts6x1c:VPfqC3hQu9vt4oC

Score
10/10
vidardiscoverystealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-03_ac096bb96571bc19729743513e206d6c_frostygoop_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4640

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2C5636D881C3639306FF23508023628F; domain=.bing.com; expires=Sat, 28-Feb-2026 01:56:21 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8A16D6B6F8B741E8B7498121FAC4BEFA Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
    date: Mon, 03 Feb 2025 01:56:21 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C5636D881C3639306FF23508023628F
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc; domain=.bing.com; expires=Sat, 28-Feb-2026 01:56:21 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7268BD152BB5435CA9970270F4CC20C4 Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
    date: Mon, 03 Feb 2025 01:56:21 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2C5636D881C3639306FF23508023628F; MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2D1FAA0ECD5A4C108B31EC01D7760D78 Ref B: LON04EDGE1213 Ref C: 2025-02-03T01:56:21Z
    date: Mon, 03 Feb 2025 01:56:21 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.153.16.2.in-addr.arpa
    IN PTR
    Response
    11.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    95.101.143.201:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=2C5636D881C3639306FF23508023628F; MSPTC=93jQ1c9UFfXORUqxFZCA29KSCMwPC5JPxpxHYt1_4Vc
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Mon, 03 Feb 2025 01:56:22 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.c58f655f.1738547782.1c1f609d
  • flag-us
    DNS
    201.143.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    201.143.101.95.in-addr.arpa
    IN PTR
    Response
    201.143.101.95.in-addr.arpa
    IN PTR
    a95-101-143-201deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    166.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    166.190.18.2.in-addr.arpa
    IN PTR
    Response
    166.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-166deploystaticakamaitechnologiescom
  • flag-us
    DNS
    t.me
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/sc1phell
    BitLockerToGo.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /sc1phell HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Mon, 03 Feb 2025 01:56:55 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12340
    Connection: keep-alive
    Set-Cookie: stel_ssid=46d36ee177b72679a2_11261387072389336251; expires=Tue, 04 Feb 2025 01:56:55 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-us
    DNS
    wedrain.buzz
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    wedrain.buzz
    IN A
    Response
    wedrain.buzz
    IN A
    5.75.209.106
  • flag-de
    GET
    https://wedrain.buzz/
    BitLockerToGo.exe
    Remote address:
    5.75.209.106:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
    Host: wedrain.buzz
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 03 Feb 2025 01:56:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://wedrain.buzz/
    BitLockerToGo.exe
    Remote address:
    5.75.209.106:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----kx4opzcbi5fcbie37q9r
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
    Host: wedrain.buzz
    Content-Length: 256
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 03 Feb 2025 01:56:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://wedrain.buzz/
    BitLockerToGo.exe
    Remote address:
    5.75.209.106:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----jmyu379zc2vaieusr1v3
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
    Host: wedrain.buzz
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 03 Feb 2025 01:56:57 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    e5.o.lencr.org
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    e5.o.lencr.org
    IN A
    Response
    e5.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    88.221.134.137
    a1887.dscq.akamai.net
    IN A
    88.221.134.89
    a1887.dscq.akamai.net
    IN A
    88.221.135.105
  • flag-gb
    GET
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3D
    BitLockerToGo.exe
    Remote address:
    88.221.134.137:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: e5.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 346
    ETag: "E313875E55C894CF2CA397285AADAD420A942EEFE5D493E3B7D0264ABAD1520A"
    Last-Modified: Sat, 01 Feb 2025 13:05:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=8200
    Expires: Mon, 03 Feb 2025 04:13:36 GMT
    Date: Mon, 03 Feb 2025 01:56:56 GMT
    Connection: keep-alive
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
    Response
    168.245.100.95.in-addr.arpa
    IN PTR
    a95-100-245-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    106.209.75.5.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.209.75.5.in-addr.arpa
    IN PTR
    Response
    106.209.75.5.in-addr.arpa
    IN PTR
    static106209755clients your-serverde
  • flag-us
    DNS
    137.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.134.221.88.in-addr.arpa
    IN PTR
    Response
    137.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-137deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f7c1a2bfb21a4c5098d6afd0c29a60da&localId=w:D0A40F9B-E320-78A2-894B-EDD71C20EBC5&deviceId=6966578605923370&anid=

    HTTP Response

    204
  • 95.101.143.201:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     17
    14

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 149.154.167.99:443
    https://t.me/sc1phell
    tls, http
    BitLockerToGo.exe
    1.5kB
     19.4kB
     24
    20

    HTTP Request

    GET https://t.me/sc1phell

    HTTP Response

    200
  • 5.75.209.106:443
    https://wedrain.buzz/
    tls, http
    BitLockerToGo.exe
    980 B
     3.0kB
     11
    8

    HTTP Request

    GET https://wedrain.buzz/

    HTTP Response

    200
  • 5.75.209.106:443
    https://wedrain.buzz/
    tls, http
    BitLockerToGo.exe
    1.4kB
     525 B
     8
    5

    HTTP Request

    POST https://wedrain.buzz/

    HTTP Response

    200
  • 5.75.209.106:443
    https://wedrain.buzz/
    tls, http
    BitLockerToGo.exe
    1.4kB
     558 B
     8
    6

    HTTP Request

    POST https://wedrain.buzz/

    HTTP Response

    200
  • 88.221.134.137:80
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3D
    http
    BitLockerToGo.exe
    467 B
     863 B
     5
    3

    HTTP Request

    GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgMumFM1B60hXuZQRt2DO9yCqQ%3D%3D

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    11.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    11.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    201.143.101.95.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    201.143.101.95.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    166.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    166.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    BitLockerToGo.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    wedrain.buzz
    dns
    BitLockerToGo.exe
    58 B
     74 B
     1
    1

    DNS Request

    wedrain.buzz

    DNS Response

    5.75.209.106

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
     166 B
     1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    e5.o.lencr.org
    dns
    BitLockerToGo.exe
    60 B
     175 B
     1
    1

    DNS Request

    e5.o.lencr.org

    DNS Response

    88.221.134.137
    88.221.134.89
    88.221.135.105

  • 8.8.8.8:53
    106.209.75.5.in-addr.arpa
    dns
    71 B
     127 B
     1
    1

    DNS Request

    106.209.75.5.in-addr.arpa

  • 8.8.8.8:53
    168.245.100.95.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    168.245.100.95.in-addr.arpa

  • 8.8.8.8:53
    137.134.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    137.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4640-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4640-1-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4640-2-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4640-9-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.