Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/01/2025, 05:23 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe
Resource
win7-20240729-en
General
-
Target
2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe
-
Size
6.9MB
-
MD5
06702b0adabb0256cd23521ded5e1499
-
SHA1
d921ae66f0a23628af9a08fbab11d87a996f1cf6
-
SHA256
58be466c685f6758fe2257bf9dc19dc3f024323e104cdf3577f17b1488ee0bcc
-
SHA512
b54c30dd7b5ea34473f55ea3335df6aec7227f75bcffb121c79f0a026bd3e07aed661372133f83f05a13996aedb4e4b6d24cc7abace25ae27d4919be62cc486e
-
SSDEEP
49152:OYSes/xIVxkD5dGE6rZFF1aV8eqUTlVr7LdIYpTAft/O2bYfXWu4ZCIwbTf0nOA:O9TycVdsZF8NTlPIYpelk4fO0I1KC
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Extracted
lumma
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2656 set thread context of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30 PID 2656 wrote to memory of 2144 2656 2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2144
-
Network
-
Remote address:8.8.8.8:53Requestwonderfulbelif.clickIN AResponsewonderfulbelif.clickIN A172.67.211.3wonderfulbelif.clickIN A104.21.69.179
-
Remote address:172.67.211.3:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wonderfulbelif.click
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=t213ant8u2eateeau569f0guqn; expires=Tue, 29 Apr 2025 23:10:11 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NxIe9PeBADq17z8cEdAoUmdbTJNWpoLL%2BBUZ04%2F7YVkrfnO9qaOAAPs2H4uzBlVKUN3HuBClsN6YSzEsZ8MVgbNZ3E%2FftdJBjR6K2xDpvCK0Z19dQm8wuB7KGTAdkL4ToY3c29orLA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc115ff6948c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33754&min_rtt=26228&rtt_var=20340&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2868&recv_bytes=588&delivery_rate=135541&cwnd=233&unsent_bytes=0&cid=8e9a713839733df7&ts=280&x=0"
-
Remote address:8.8.8.8:53Requestnearycrepso.shopIN AResponse
-
Remote address:8.8.8.8:53Requestabruptyopsn.shopIN AResponseabruptyopsn.shopIN A104.21.96.1abruptyopsn.shopIN A104.21.80.1abruptyopsn.shopIN A104.21.16.1abruptyopsn.shopIN A104.21.112.1abruptyopsn.shopIN A104.21.64.1abruptyopsn.shopIN A104.21.32.1abruptyopsn.shopIN A104.21.48.1
-
Remote address:104.21.96.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: abruptyopsn.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p1m2o539pts85nn63hjfhvbuaf; expires=Tue, 29 Apr 2025 23:10:12 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V5tkzd3wmh7JVrhLTN6Jk6HBCsMZ3Mm8ehO8YQOH5%2FiWtxPR%2BqFb7pyjQ40unc2pCwCFJvESBe2TQzJRiFTfWjNNMfZVucxLuo6N42h%2FgjsC4cgKtgv4tfW8hhEdTH3FzXsD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc151afe6532-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27533&min_rtt=26953&rtt_var=8654&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3127&recv_bytes=584&delivery_rate=130556&cwnd=244&unsent_bytes=0&cid=893ab1dce6fdc534&ts=493&x=0"
-
Remote address:8.8.8.8:53Requestwholersorie.shopIN AResponsewholersorie.shopIN A104.21.41.51wholersorie.shopIN A172.67.160.114
-
Remote address:104.21.41.51:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wholersorie.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=etfojomrlcgoj3qbnd2frmlvuj; expires=Tue, 29 Apr 2025 23:10:12 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SX3urG5ZIGMzm41K4WgD2l4HPXfOtRd7ePt9Lrk1JNU3xV9jAvcSAfHNC2j4jTpe%2BYZuX6xtql1iGhMSrNHIoUGvAXtBeLAxJ7NjzWEjFi2i%2BxmMNVDlcqNC1zG2F4IUkgxl"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc173a00cd60-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27442&min_rtt=26319&rtt_var=7525&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2858&recv_bytes=584&delivery_rate=134095&cwnd=215&unsent_bytes=0&cid=4831d9eb51171422&ts=245&x=0"
-
Remote address:8.8.8.8:53Requestframekgirus.shopIN AResponseframekgirus.shopIN A172.67.179.160framekgirus.shopIN A104.21.18.19
-
Remote address:172.67.179.160:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: framekgirus.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6na7j2gnefn9ps6cdf0cqfdrgs; expires=Tue, 29 Apr 2025 23:10:13 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4W%2BPzU6vKCQyc82QfllIBdOhu7ZwLT1QXAkjU%2Fvd2hrG5pyA8Z58IE6%2FAKXYkaMgYKaOIeaLmK1%2FM64X6AESEx5%2F2UqyRu8Kbm7vT7ipOogtCzCQ6CvA6WKH9uCBDsRoMTj"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc194d7a63a0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27849&min_rtt=26190&rtt_var=8305&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=127637&cwnd=234&unsent_bytes=0&cid=2d834d889c983ee9&ts=223&x=0"
-
Remote address:8.8.8.8:53Requesttirepublicerj.shopIN AResponsetirepublicerj.shopIN A104.21.16.1tirepublicerj.shopIN A104.21.80.1tirepublicerj.shopIN A104.21.48.1tirepublicerj.shopIN A104.21.96.1tirepublicerj.shopIN A104.21.112.1tirepublicerj.shopIN A104.21.32.1tirepublicerj.shopIN A104.21.64.1
-
Remote address:8.8.8.8:53Requestnoisycuttej.shopIN AResponsenoisycuttej.shopIN A104.21.71.146noisycuttej.shopIN A172.67.170.178
-
Remote address:104.21.71.146:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: noisycuttej.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=h6l1thck6pu3c5mjs5qlj2nvfk; expires=Tue, 29 Apr 2025 23:10:13 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3bxNlFkhhSmkNQ95Jurbupw6DNpmKoiQ9Cv2R3A1gKX90gWXxClzHSKdhnJT3Lx9QKCvmQBOfI2Kl9CACFAbSUGp%2BMafrkQ4IobsaWuySHYhwd%2F2DclXC%2BCm7TkvkqgAOge%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc1d48bc7198-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27153&min_rtt=26091&rtt_var=7235&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2860&recv_bytes=584&delivery_rate=135402&cwnd=243&unsent_bytes=0&cid=8a161e8f8b9a6d26&ts=244&x=0"
-
Remote address:8.8.8.8:53Requestrabidcowse.shopIN AResponserabidcowse.shopIN A172.67.156.127rabidcowse.shopIN A104.21.7.224
-
Remote address:172.67.156.127:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: rabidcowse.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=um1mar0ac9jm4v51jvms13ehs3; expires=Tue, 29 Apr 2025 23:10:14 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AjiYFBAmOpamivxtxehbTDJjgekQemFxz1wQ4Uz7iT3t11fVpkTB4aYwB69CU7B7aTJ3RgfonwVxn00fY%2BrJkOP7un6iF76G0LDjv5aFnI2PdNZzwxF7p6tcRl1mm7Z84zI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc1f582ccdad-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27413&min_rtt=26344&rtt_var=7423&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=583&delivery_rate=132610&cwnd=236&unsent_bytes=0&cid=228e5fefce58fd94&ts=239&x=0"
-
Remote address:8.8.8.8:53Requestcloudewahsj.shopIN AResponsecloudewahsj.shopIN A104.21.96.1cloudewahsj.shopIN A104.21.16.1cloudewahsj.shopIN A104.21.64.1cloudewahsj.shopIN A104.21.48.1cloudewahsj.shopIN A104.21.32.1cloudewahsj.shopIN A104.21.112.1cloudewahsj.shopIN A104.21.80.1
-
Remote address:104.21.96.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cloudewahsj.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gcc0t0ubpjjh0dp3m9te7tg8u4; expires=Tue, 29 Apr 2025 23:10:14 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2Fwki43f8xmtNHy7IcAXUlthcFkq%2FDkcQLamQKOPgLAxcTIOgaQnvRWsi%2BdHzyWr3fQXIyKGzKlYxbIGTaW0TAWwP0rJxeq%2B8i9o9%2FyM7Ffr2oa3YCr%2Bxv4Pez9iErag%2F1b2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc8cc216bc86364-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27827&min_rtt=26474&rtt_var=8001&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=584&delivery_rate=134805&cwnd=248&unsent_bytes=0&cid=e6dca9687a2d0858&ts=234&x=0"
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.214.143.155
-
Remote address:23.214.143.155:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 04 Jan 2025 05:23:35 GMT
Content-Length: 35588
Connection: keep-alive
Set-Cookie: sessionid=0ef0b16c0486e92eef9e91d5; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Requestlev-tolstoi.comIN AResponse
-
984 B 4.5kB 9 9
HTTP Request
POST https://wonderfulbelif.click/apiHTTP Response
200 -
1.0kB 4.7kB 10 10
HTTP Request
POST https://abruptyopsn.shop/apiHTTP Response
200 -
980 B 4.4kB 9 9
HTTP Request
POST https://wholersorie.shop/apiHTTP Response
200 -
980 B 4.4kB 9 9
HTTP Request
POST https://framekgirus.shop/apiHTTP Response
200 -
982 B 4.5kB 9 9
-
980 B 4.4kB 9 9
HTTP Request
POST https://noisycuttej.shop/apiHTTP Response
200 -
979 B 4.4kB 9 9
HTTP Request
POST https://rabidcowse.shop/apiHTTP Response
200 -
980 B 4.5kB 9 9
HTTP Request
POST https://cloudewahsj.shop/apiHTTP Response
200 -
23.214.143.155:443https://steamcommunity.com/profiles/76561199724331900tls, httpBitLockerToGo.exe1.5kB 42.9kB 21 36
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200
-
66 B 98 B 1 1
DNS Request
wonderfulbelif.click
DNS Response
172.67.211.3104.21.69.179
-
62 B 119 B 1 1
DNS Request
nearycrepso.shop
-
62 B 174 B 1 1
DNS Request
abruptyopsn.shop
DNS Response
104.21.96.1104.21.80.1104.21.16.1104.21.112.1104.21.64.1104.21.32.1104.21.48.1
-
62 B 94 B 1 1
DNS Request
wholersorie.shop
DNS Response
104.21.41.51172.67.160.114
-
62 B 94 B 1 1
DNS Request
framekgirus.shop
DNS Response
172.67.179.160104.21.18.19
-
64 B 176 B 1 1
DNS Request
tirepublicerj.shop
DNS Response
104.21.16.1104.21.80.1104.21.48.1104.21.96.1104.21.112.1104.21.32.1104.21.64.1
-
62 B 94 B 1 1
DNS Request
noisycuttej.shop
DNS Response
104.21.71.146172.67.170.178
-
61 B 93 B 1 1
DNS Request
rabidcowse.shop
DNS Response
172.67.156.127104.21.7.224
-
62 B 174 B 1 1
DNS Request
cloudewahsj.shop
DNS Response
104.21.96.1104.21.16.1104.21.64.1104.21.48.1104.21.32.1104.21.112.1104.21.80.1
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
23.214.143.155
-
61 B 134 B 1 1
DNS Request
lev-tolstoi.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b