Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 11:55

General

  • Target

    a779ab148d0593aba4c80b23637b1e5c8ff10957dc7976f7718d3255e186a4ef.exe

  • Size

    6.8MB

  • MD5

    52d369c46dc7e0434be0ee09634bc900

  • SHA1

    3f71cb4f023b0eb816357017831a6f1441c35741

  • SHA256

    a779ab148d0593aba4c80b23637b1e5c8ff10957dc7976f7718d3255e186a4ef

  • SHA512

    8e6b795b1542b6d986411502488d779720f2cd69a4223ee1a88a700ad5466dccb111397a6db8d4163cdad5117dd4d401834a46c45c1168873ed9629f383ec5c2

  • SSDEEP

    196608:PC1vgMQjyG2VV2qG7ZNF1hUNuAlPU+yoGmF:PQvamGwV2Z3FQzi99m

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

lumma

C2

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

https://mindhandru.buzz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://mindhandru.buzz/api

https://prisonyfork.buzz/api

https://rebuildeso.buzz/api

https://scentniej.buzz/api

https://inherineau.buzz/api

https://screwamusresz.buzz/api

https://appliacnesot.buzz/api

https://cashfuzysao.buzz/api

https://hummskitnj.buzz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a779ab148d0593aba4c80b23637b1e5c8ff10957dc7976f7718d3255e186a4ef.exe
    "C:\Users\Admin\AppData\Local\Temp\a779ab148d0593aba4c80b23637b1e5c8ff10957dc7976f7718d3255e186a4ef.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C5t65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C5t65.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6T10.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6T10.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1q82O2.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1q82O2.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1552
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2M4912.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2M4912.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3W93x.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3W93x.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3736
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1568
          4⤵
          • Program crash
          PID:2724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4I084L.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4I084L.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:452
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3736 -ip 3736
    1⤵
      PID:224
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4616

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      85.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      85.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      mindhandru.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      mindhandru.buzz
      IN A
      Response
      mindhandru.buzz
      IN A
      172.67.165.185
      mindhandru.buzz
      IN A
      104.21.11.101
    • flag-us
      POST
      https://mindhandru.buzz/api
      2M4912.exe
      Remote address:
      172.67.165.185:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: mindhandru.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:29 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=sa5q69or511gcnil61csce5trr; expires=Tue, 22 Apr 2025 05:42:08 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7kjyQwOmK93BYKWLvWm6ZKTgo61846WAjO4eT6Cwa25DZXp3A9rTmRiFwc3lCZlVcOxApgYlghqi3ec3QbqWtugHs80gozzHeqDTf5usqq6DDk3ZCx6YpJPbjFdGJI%2ByWdw%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f25be6c63aa-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=71734&min_rtt=63499&rtt_var=24816&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3296&recv_bytes=603&delivery_rate=62426&cwnd=249&unsent_bytes=0&cid=8acd36d46c5ab2ee&ts=2324&x=0"
    • flag-us
      DNS
      185.165.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      185.165.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      prisonyfork.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      prisonyfork.buzz
      IN A
      Response
      prisonyfork.buzz
      IN A
      104.21.74.40
      prisonyfork.buzz
      IN A
      172.67.197.192
    • flag-us
      POST
      https://prisonyfork.buzz/api
      2M4912.exe
      Remote address:
      104.21.74.40:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: prisonyfork.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:29 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=c4nc6a2ou3fo66ala78rn54ghs; expires=Tue, 22 Apr 2025 05:42:08 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BVY9NBuhWbwxLr1k9pZe%2Fwr4hjrOo5qmiYznAsdEP6u8Kb9GGFm62OpEDkbd3n2zQiOqhZiJZRbRzNkmfz0NSIGIylGSTlmeXT5kEAH1WC7h0eK77q7tyv%2FZpborLHPSyDe"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f358c95719c-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=72828&min_rtt=62203&rtt_var=18689&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=52257&cwnd=242&unsent_bytes=0&cid=3911037cf1682e2c&ts=324&x=0"
    • flag-us
      DNS
      rebuildeso.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      rebuildeso.buzz
      IN A
      Response
      rebuildeso.buzz
      IN A
      172.67.143.157
      rebuildeso.buzz
      IN A
      104.21.49.94
    • flag-us
      DNS
      rebuildeso.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      rebuildeso.buzz
      IN A
    • flag-us
      POST
      https://rebuildeso.buzz/api
      2M4912.exe
      Remote address:
      172.67.143.157:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: rebuildeso.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:33 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=45a307cje9ri93rp5o4v61hknn; expires=Tue, 22 Apr 2025 05:42:12 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnDKRse52hmbaBp5FpHw%2FqnFrE6p7KcKmyM0NzBa8HVdL1dXoZB%2Fo2Uv0Hy6U7CMxnGNsObI8NPg%2BBF2uCkZVk6%2Fr98XRH5%2BWOkGCG2yW3wqMxOMd2EZXGIGKxLIw8x0ioc%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f3f6f36bd82-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=70826&min_rtt=61268&rtt_var=23176&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3294&recv_bytes=603&delivery_rate=61438&cwnd=253&unsent_bytes=0&cid=e4cfc9e70b92309d&ts=2372&x=0"
    • flag-us
      DNS
      40.74.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      40.74.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.143.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.143.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      scentniej.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      scentniej.buzz
      IN A
      Response
      scentniej.buzz
      IN A
      104.21.63.217
      scentniej.buzz
      IN A
      172.67.172.12
    • flag-us
      POST
      https://scentniej.buzz/api
      2M4912.exe
      Remote address:
      104.21.63.217:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: scentniej.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:33 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=3v7j0n517vql3cf556t4daltu3; expires=Tue, 22 Apr 2025 05:42:12 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CRNx7Zm65Zf6rG6oXINXc5MAAgkG%2BXQvwAvQu85dWUi5%2Bi%2BYedCRMTkwTsU%2FBcgK9IQWX2DUOqTH17B8Wq%2Bus%2FdIFkS8kR0EXAJiBXynR%2FZQXQG88%2BxhdUhCdbqnvaH%2FaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f4f78bdede0-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=67573&min_rtt=63483&rtt_var=19780&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=601&delivery_rate=54625&cwnd=253&unsent_bytes=0&cid=f617b6474dcfc900&ts=303&x=0"
    • flag-us
      DNS
      inherineau.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      inherineau.buzz
      IN A
      Response
      inherineau.buzz
      IN A
      104.21.44.253
      inherineau.buzz
      IN A
      172.67.206.214
    • flag-us
      POST
      https://inherineau.buzz/api
      2M4912.exe
      Remote address:
      104.21.44.253:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: inherineau.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:34 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=9v2vm7be63jcahmlq2sam0kjjo; expires=Tue, 22 Apr 2025 05:42:13 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IwPq3rPkq4o5FssvgbqH%2B%2FVn3JJlYInOa8p95J58mHL15n2tc%2BSeNibGFuSev8%2F0kREPzqbEFEIVYD8thztmE6%2FmgeMinzo8%2F6M8uxsf6HbzAViMq5NXiyIAvlEe%2BUCsFdU%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f529d00418f-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=61590&min_rtt=59941&rtt_var=15147&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=62234&cwnd=253&unsent_bytes=0&cid=f2a947150d70e9ef&ts=277&x=0"
    • flag-us
      DNS
      217.63.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.63.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      screwamusresz.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      screwamusresz.buzz
      IN A
      Response
      screwamusresz.buzz
      IN A
      172.67.159.117
      screwamusresz.buzz
      IN A
      104.21.66.113
    • flag-us
      POST
      https://screwamusresz.buzz/api
      2M4912.exe
      Remote address:
      172.67.159.117:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: screwamusresz.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:34 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=49d5l1m3d90thosdlrf7tbuoii; expires=Tue, 22 Apr 2025 05:42:13 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ceWRWnfZZdJcYbP7cy1sbIWe3g1CHiPYpPnUpOg%2BB4xIoJyVSjpLIPmIA9cIJY3FjslTZl3h%2BKwET1G%2BtJtdnq6km3uRxOXsgbbuTKg0yUmeqGN%2Fktvzs%2BvIFMbLJ%2FcZBsSLGw%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f558a7c3dca-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=60930&min_rtt=59292&rtt_var=15273&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3303&recv_bytes=609&delivery_rate=62854&cwnd=236&unsent_bytes=0&cid=09581e69f0958d79&ts=311&x=0"
    • flag-us
      DNS
      appliacnesot.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      appliacnesot.buzz
      IN A
      Response
      appliacnesot.buzz
      IN A
      172.67.213.232
      appliacnesot.buzz
      IN A
      104.21.35.50
    • flag-us
      POST
      https://appliacnesot.buzz/api
      2M4912.exe
      Remote address:
      172.67.213.232:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: appliacnesot.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:36 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=emvohcpiu4aguc0ktjar38e03l; expires=Tue, 22 Apr 2025 05:42:15 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AwS2a93OsV9QUkJHjdOU%2B4uET%2F9Puun2HcfLGdUoEjPvYz%2BFFnATOJ775iek0CZU95HI5IOUoI41y4PJwQDhgDy7jQOIIWMbs1n3HkxNT2p9k8hSLC4ITjnqfCmYWPdLlAZ03Q%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f5dde4093e6-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=292662&min_rtt=68567&rtt_var=200385&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3301&recv_bytes=607&delivery_rate=59344&cwnd=253&unsent_bytes=0&cid=0f9f2b0640c977c7&ts=818&x=0"
    • flag-us
      DNS
      253.44.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      253.44.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cashfuzysao.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      cashfuzysao.buzz
      IN A
      Response
      cashfuzysao.buzz
      IN A
      172.67.182.226
      cashfuzysao.buzz
      IN A
      104.21.83.235
    • flag-us
      DNS
      117.159.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      117.159.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.213.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.213.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      POST
      https://cashfuzysao.buzz/api
      2M4912.exe
      Remote address:
      172.67.182.226:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: cashfuzysao.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:36 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=lr4ic3r12ijiv5shff2s5lv1d0; expires=Tue, 22 Apr 2025 05:42:15 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MTjiRrxo7HuHbpTMyXtAPJ5wWYmgkUqsFByoFfPPjoczxLij4E%2FWN1eQSzUjb1NhHo6YNP7gDQ%2BiQjldQBBq5oz4Eb%2BGTl%2FWvaHPHYGuJZri2wlkRURL8YVBK70GWtxENXXd"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f613fd9ed0a-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=67039&min_rtt=60278&rtt_var=18771&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3298&recv_bytes=605&delivery_rate=61634&cwnd=253&unsent_bytes=0&cid=0a3356a7221a4b45&ts=314&x=0"
    • flag-us
      DNS
      hummskitnj.buzz
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      hummskitnj.buzz
      IN A
      Response
      hummskitnj.buzz
      IN A
      104.21.86.82
      hummskitnj.buzz
      IN A
      172.67.216.236
    • flag-us
      POST
      https://hummskitnj.buzz/api
      2M4912.exe
      Remote address:
      104.21.86.82:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: hummskitnj.buzz
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:37 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=q1hi9c6795r2e352uql79no9h9; expires=Tue, 22 Apr 2025 05:42:16 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6okqlWC1ir7hEPqOigEhhWPGG0nMrSop%2FD%2FlgyaoMXwoaCUwYypeNOjjjCf3WlUC3Mvfp9U3tkzHG1%2BfkvLnz6swkb2UZC%2FHhANzFXA6dXra2RlQQ6IV9GT2N8IsITvCls%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f646990bd8e-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=64066&min_rtt=60213&rtt_var=18091&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3294&recv_bytes=603&delivery_rate=62089&cwnd=253&unsent_bytes=0&cid=238e56156d0cf3f5&ts=330&x=0"
    • flag-us
      DNS
      steamcommunity.com
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      steamcommunity.com
      IN A
      Response
      steamcommunity.com
      IN A
      23.214.143.155
    • flag-gb
      GET
      https://steamcommunity.com/profiles/76561199724331900
      2M4912.exe
      Remote address:
      23.214.143.155:443
      Request
      GET /profiles/76561199724331900 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Host: steamcommunity.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
      Expires: Mon, 26 Jul 1997 05:00:00 GMT
      Cache-Control: no-cache
      Date: Fri, 27 Dec 2024 11:55:37 GMT
      Content-Length: 35588
      Connection: keep-alive
      Set-Cookie: sessionid=529978b31f2b00513c2e8095; Path=/; Secure; SameSite=None
      Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
    • flag-us
      DNS
      lev-tolstoi.com
      2M4912.exe
      Remote address:
      8.8.8.8:53
      Request
      lev-tolstoi.com
      IN A
      Response
      lev-tolstoi.com
      IN A
      172.67.157.254
      lev-tolstoi.com
      IN A
      104.21.66.86
    • flag-us
      POST
      https://lev-tolstoi.com/api
      2M4912.exe
      Remote address:
      172.67.157.254:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: lev-tolstoi.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 27 Dec 2024 11:55:38 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=bh33sfkh8oe78l91h6nittcl26; expires=Tue, 22 Apr 2025 05:42:17 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bXjaVUSy2kRuNFyZKTKMESP3uxprY2dVIkhEdQlNp4d71WjHge4%2FSqf5juj44yVaXfTyfnl6Hu9xbZ2TsP7mj2i2zIMohIsICwAsiD9mV03hlEyU5fE9xGHv7CUL9JDOuck%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f891f6bfbd5886b-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=62852&min_rtt=59893&rtt_var=18016&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3291&recv_bytes=603&delivery_rate=62801&cwnd=250&unsent_bytes=0&cid=77df48c7d0f061c0&ts=346&x=0"
    • flag-us
      DNS
      226.182.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.182.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      82.86.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.86.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      155.143.214.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      155.143.214.23.in-addr.arpa
      IN PTR
      Response
      155.143.214.23.in-addr.arpa
      IN PTR
      a23-214-143-155deploystaticakamaitechnologiescom
    • flag-us
      DNS
      254.157.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.157.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • 172.67.165.185:443
      https://mindhandru.buzz/api
      tls, http
      2M4912.exe
      1.0kB
      4.9kB
      10
      9

      HTTP Request

      POST https://mindhandru.buzz/api

      HTTP Response

      200
    • 185.215.113.43:80
      skotes.exe
      260 B
      5
    • 104.21.74.40:443
      https://prisonyfork.buzz/api
      tls, http
      2M4912.exe
      1.0kB
      4.9kB
      9
      9

      HTTP Request

      POST https://prisonyfork.buzz/api

      HTTP Response

      200
    • 172.67.143.157:443
      https://rebuildeso.buzz/api
      tls, http
      2M4912.exe
      999 B
      4.9kB
      9
      9

      HTTP Request

      POST https://rebuildeso.buzz/api

      HTTP Response

      200
    • 104.21.63.217:443
      https://scentniej.buzz/api
      tls, http
      2M4912.exe
      997 B
      4.9kB
      9
      9

      HTTP Request

      POST https://scentniej.buzz/api

      HTTP Response

      200
    • 104.21.44.253:443
      https://inherineau.buzz/api
      tls, http
      2M4912.exe
      999 B
      4.9kB
      9
      9

      HTTP Request

      POST https://inherineau.buzz/api

      HTTP Response

      200
    • 172.67.159.117:443
      https://screwamusresz.buzz/api
      tls, http
      2M4912.exe
      1.0kB
      4.9kB
      9
      9

      HTTP Request

      POST https://screwamusresz.buzz/api

      HTTP Response

      200
    • 172.67.213.232:443
      https://appliacnesot.buzz/api
      tls, http
      2M4912.exe
      1.3kB
      4.9kB
      11
      9

      HTTP Request

      POST https://appliacnesot.buzz/api

      HTTP Response

      200
    • 172.67.182.226:443
      https://cashfuzysao.buzz/api
      tls, http
      2M4912.exe
      1.0kB
      4.9kB
      9
      9

      HTTP Request

      POST https://cashfuzysao.buzz/api

      HTTP Response

      200
    • 104.21.86.82:443
      https://hummskitnj.buzz/api
      tls, http
      2M4912.exe
      999 B
      4.9kB
      9
      9

      HTTP Request

      POST https://hummskitnj.buzz/api

      HTTP Response

      200
    • 23.214.143.155:443
      https://steamcommunity.com/profiles/76561199724331900
      tls, http
      2M4912.exe
      1.5kB
      43.1kB
      21
      36

      HTTP Request

      GET https://steamcommunity.com/profiles/76561199724331900

      HTTP Response

      200
    • 172.67.157.254:443
      https://lev-tolstoi.com/api
      tls, http
      2M4912.exe
      999 B
      4.9kB
      9
      9

      HTTP Request

      POST https://lev-tolstoi.com/api

      HTTP Response

      200
    • 185.215.113.206:80
      3W93x.exe
      260 B
      5
    • 185.215.113.43:80
      skotes.exe
      260 B
      5
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      85.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      85.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      14.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      mindhandru.buzz
      dns
      2M4912.exe
      61 B
      93 B
      1
      1

      DNS Request

      mindhandru.buzz

      DNS Response

      172.67.165.185
      104.21.11.101

    • 8.8.8.8:53
      185.165.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      185.165.67.172.in-addr.arpa

    • 8.8.8.8:53
      prisonyfork.buzz
      dns
      2M4912.exe
      62 B
      94 B
      1
      1

      DNS Request

      prisonyfork.buzz

      DNS Response

      104.21.74.40
      172.67.197.192

    • 8.8.8.8:53
      rebuildeso.buzz
      dns
      2M4912.exe
      122 B
      93 B
      2
      1

      DNS Request

      rebuildeso.buzz

      DNS Request

      rebuildeso.buzz

      DNS Response

      172.67.143.157
      104.21.49.94

    • 8.8.8.8:53
      40.74.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      40.74.21.104.in-addr.arpa

    • 8.8.8.8:53
      157.143.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      157.143.67.172.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      scentniej.buzz
      dns
      2M4912.exe
      60 B
      92 B
      1
      1

      DNS Request

      scentniej.buzz

      DNS Response

      104.21.63.217
      172.67.172.12

    • 8.8.8.8:53
      inherineau.buzz
      dns
      2M4912.exe
      61 B
      93 B
      1
      1

      DNS Request

      inherineau.buzz

      DNS Response

      104.21.44.253
      172.67.206.214

    • 8.8.8.8:53
      217.63.21.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      217.63.21.104.in-addr.arpa

    • 8.8.8.8:53
      screwamusresz.buzz
      dns
      2M4912.exe
      64 B
      96 B
      1
      1

      DNS Request

      screwamusresz.buzz

      DNS Response

      172.67.159.117
      104.21.66.113

    • 8.8.8.8:53
      appliacnesot.buzz
      dns
      2M4912.exe
      63 B
      95 B
      1
      1

      DNS Request

      appliacnesot.buzz

      DNS Response

      172.67.213.232
      104.21.35.50

    • 8.8.8.8:53
      253.44.21.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      253.44.21.104.in-addr.arpa

    • 8.8.8.8:53
      cashfuzysao.buzz
      dns
      2M4912.exe
      62 B
      94 B
      1
      1

      DNS Request

      cashfuzysao.buzz

      DNS Response

      172.67.182.226
      104.21.83.235

    • 8.8.8.8:53
      117.159.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      117.159.67.172.in-addr.arpa

    • 8.8.8.8:53
      232.213.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      232.213.67.172.in-addr.arpa

    • 8.8.8.8:53
      hummskitnj.buzz
      dns
      2M4912.exe
      61 B
      93 B
      1
      1

      DNS Request

      hummskitnj.buzz

      DNS Response

      104.21.86.82
      172.67.216.236

    • 8.8.8.8:53
      steamcommunity.com
      dns
      2M4912.exe
      64 B
      80 B
      1
      1

      DNS Request

      steamcommunity.com

      DNS Response

      23.214.143.155

    • 8.8.8.8:53
      lev-tolstoi.com
      dns
      2M4912.exe
      61 B
      93 B
      1
      1

      DNS Request

      lev-tolstoi.com

      DNS Response

      172.67.157.254
      104.21.66.86

    • 8.8.8.8:53
      226.182.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      226.182.67.172.in-addr.arpa

    • 8.8.8.8:53
      82.86.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      82.86.21.104.in-addr.arpa

    • 8.8.8.8:53
      155.143.214.23.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      155.143.214.23.in-addr.arpa

    • 8.8.8.8:53
      254.157.67.172.in-addr.arpa
      dns
      73 B
      135 B
      1
      1

      DNS Request

      254.157.67.172.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4I084L.exe

      Filesize

      2.7MB

      MD5

      b918b524c574e93f9aa113528e254906

      SHA1

      d2d31aa5c4a5e3026869ec37f8426faf1fe27ab2

      SHA256

      028a3fa1bc1442854056624ed035aa70eb03773d1cf1fe73e8d9d65654c5e9c6

      SHA512

      0f195d479400ae48642dc19eaa88688b1072d38ef01c29219e42d19808f0193b9125697675567550eca4089bcd5842252824c8783f11ac7d1b13c7db7716a0f8

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\C5t65.exe

      Filesize

      5.3MB

      MD5

      7b439cfdddd277f7100a438545a8ecd6

      SHA1

      cb39652fb3f888035bb766a6eb6a0da2d16b39ae

      SHA256

      72d1d12a80dfc7edee960970a6f7a52111af1b87f0af7414a6f53ff30f77b0fb

      SHA512

      db8203e4a5a95d629d7e484a3740caaddb64d0de62dcd45a277a612efebf885bf49dae868a8a1f716dfc7dcc484d91264469f0eb626cf4e4ec11e0541f1f812d

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3W93x.exe

      Filesize

      5.0MB

      MD5

      17d940e3012d0a3589f9dcb08cb8aacb

      SHA1

      c173fb724ed8484c8e369fa75fe55c583652ca0b

      SHA256

      a8bb33f2e7863a4f50af391645b42e1c401d58b91c017104215d222eef02ad70

      SHA512

      a3fd59b9b53b966401ba000a1fbe8eef6c964420bbc123bb32b525e8c5d34199f217c62e28c14a8a1b981688fc88dcf4c13cf03ee2e02da7aa5dfaeface93569

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6T10.exe

      Filesize

      3.6MB

      MD5

      3642f0779b9b524bd35e78509ea40af2

      SHA1

      45100115cd456f9a60d34bff6f377b990b8b26a7

      SHA256

      c9c1490378bbebc87e3a89f8ffd40c1915dce506de97934eb042f0037c8d5ed0

      SHA512

      cb904f19d41174341dbf1d3ea783d25264245338fdfd248abb008ca2dcfa3ce22ed20912557804afb0fcd8866f78fcff2b7c82df5d700b6614cfb4da3a31ab5e

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1q82O2.exe

      Filesize

      3.1MB

      MD5

      0a0f11159921131e89d2e3203e99b1f6

      SHA1

      661586d8fae5358589a35c336dfb4114116e3264

      SHA256

      69ea228fad500972c7022f828d8ce864e841c10c79538fbf9188e2cfd1203098

      SHA512

      f14041f126807284126f6eade0ebbbcacdf04a46521fbd4c6f7bb9579882157ca11130dfbb13fb189d8a20a6488cc9d1d2c3e14675dcb0838e328876965a60f3

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2M4912.exe

      Filesize

      1.8MB

      MD5

      c63d467232a6d3a2f8dbb8e002650a84

      SHA1

      5e6b7a9a985d1014818b4793c8f7e7ad366cbb3a

      SHA256

      a9d7a67e3fec6b0c11efd2fe9864f1559f2555f121d2aedb3144f5e99ba9b571

      SHA512

      66f5c069eb1239ebeb146ac798c05d994ea353398e699ee76d3251adecd5d635f55f206f2eaf75aac7c355f855b08d4a42044a943f44aa009735aad41fe3c561

    • memory/452-57-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/452-55-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-75-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-49-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-79-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-78-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-40-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-74-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-80-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-41-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-73-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-72-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-52-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-81-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-33-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-82-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-58-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/1552-66-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    • memory/2368-71-0x0000000000B60000-0x0000000000E10000-memory.dmp

      Filesize

      2.7MB

    • memory/2368-62-0x0000000000B60000-0x0000000000E10000-memory.dmp

      Filesize

      2.7MB

    • memory/2368-64-0x0000000000B60000-0x0000000000E10000-memory.dmp

      Filesize

      2.7MB

    • memory/2368-65-0x0000000000B60000-0x0000000000E10000-memory.dmp

      Filesize

      2.7MB

    • memory/2368-68-0x0000000000B60000-0x0000000000E10000-memory.dmp

      Filesize

      2.7MB

    • memory/2576-20-0x0000000000100000-0x000000000041B000-memory.dmp

      Filesize

      3.1MB

    • memory/2576-35-0x0000000000100000-0x000000000041B000-memory.dmp

      Filesize

      3.1MB

    • memory/3396-43-0x0000000000DB0000-0x0000000001264000-memory.dmp

      Filesize

      4.7MB

    • memory/3396-44-0x0000000000DB0000-0x0000000001264000-memory.dmp

      Filesize

      4.7MB

    • memory/3396-42-0x0000000000DB0000-0x0000000001264000-memory.dmp

      Filesize

      4.7MB

    • memory/3396-39-0x0000000000DB0000-0x0000000001264000-memory.dmp

      Filesize

      4.7MB

    • memory/3736-50-0x00000000004E0000-0x00000000009E4000-memory.dmp

      Filesize

      5.0MB

    • memory/3736-48-0x00000000004E0000-0x00000000009E4000-memory.dmp

      Filesize

      5.0MB

    • memory/3736-51-0x00000000004E0000-0x00000000009E4000-memory.dmp

      Filesize

      5.0MB

    • memory/3736-53-0x00000000004E0000-0x00000000009E4000-memory.dmp

      Filesize

      5.0MB

    • memory/3736-59-0x00000000004E0000-0x00000000009E4000-memory.dmp

      Filesize

      5.0MB

    • memory/4616-77-0x0000000000840000-0x0000000000B5B000-memory.dmp

      Filesize

      3.1MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.