Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 05:23 UTC

General

  • Target

    2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe

  • Size

    6.9MB

  • MD5

    06702b0adabb0256cd23521ded5e1499

  • SHA1

    d921ae66f0a23628af9a08fbab11d87a996f1cf6

  • SHA256

    58be466c685f6758fe2257bf9dc19dc3f024323e104cdf3577f17b1488ee0bcc

  • SHA512

    b54c30dd7b5ea34473f55ea3335df6aec7227f75bcffb121c79f0a026bd3e07aed661372133f83f05a13996aedb4e4b6d24cc7abace25ae27d4919be62cc486e

  • SSDEEP

    49152:OYSes/xIVxkD5dGE6rZFF1aV8eqUTlVr7LdIYpTAft/O2bYfXWu4ZCIwbTf0nOA:O9TycVdsZF8NTlPIYpelk4fO0I1KC

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-04_06702b0adabb0256cd23521ded5e1499_frostygoop_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2144

Network

  • flag-us
    DNS
    wonderfulbelif.click
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    wonderfulbelif.click
    IN A
    Response
    wonderfulbelif.click
    IN A
    172.67.211.3
    wonderfulbelif.click
    IN A
    104.21.69.179
  • flag-us
    POST
    https://wonderfulbelif.click/api
    BitLockerToGo.exe
    Remote address:
    172.67.211.3:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: wonderfulbelif.click
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:32 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=t213ant8u2eateeau569f0guqn; expires=Tue, 29 Apr 2025 23:10:11 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NxIe9PeBADq17z8cEdAoUmdbTJNWpoLL%2BBUZ04%2F7YVkrfnO9qaOAAPs2H4uzBlVKUN3HuBClsN6YSzEsZ8MVgbNZ3E%2FftdJBjR6K2xDpvCK0Z19dQm8wuB7KGTAdkL4ToY3c29orLA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc115ff6948c-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=33754&min_rtt=26228&rtt_var=20340&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2868&recv_bytes=588&delivery_rate=135541&cwnd=233&unsent_bytes=0&cid=8e9a713839733df7&ts=280&x=0"
  • flag-us
    DNS
    nearycrepso.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
    abruptyopsn.shop
    IN A
    104.21.96.1
    abruptyopsn.shop
    IN A
    104.21.80.1
    abruptyopsn.shop
    IN A
    104.21.16.1
    abruptyopsn.shop
    IN A
    104.21.112.1
    abruptyopsn.shop
    IN A
    104.21.64.1
    abruptyopsn.shop
    IN A
    104.21.32.1
    abruptyopsn.shop
    IN A
    104.21.48.1
  • flag-us
    POST
    https://abruptyopsn.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.96.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: abruptyopsn.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=p1m2o539pts85nn63hjfhvbuaf; expires=Tue, 29 Apr 2025 23:10:12 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V5tkzd3wmh7JVrhLTN6Jk6HBCsMZ3Mm8ehO8YQOH5%2FiWtxPR%2BqFb7pyjQ40unc2pCwCFJvESBe2TQzJRiFTfWjNNMfZVucxLuo6N42h%2FgjsC4cgKtgv4tfW8hhEdTH3FzXsD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc151afe6532-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27533&min_rtt=26953&rtt_var=8654&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3127&recv_bytes=584&delivery_rate=130556&cwnd=244&unsent_bytes=0&cid=893ab1dce6fdc534&ts=493&x=0"
  • flag-us
    DNS
    wholersorie.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
    wholersorie.shop
    IN A
    104.21.41.51
    wholersorie.shop
    IN A
    172.67.160.114
  • flag-us
    POST
    https://wholersorie.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.41.51:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: wholersorie.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=etfojomrlcgoj3qbnd2frmlvuj; expires=Tue, 29 Apr 2025 23:10:12 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SX3urG5ZIGMzm41K4WgD2l4HPXfOtRd7ePt9Lrk1JNU3xV9jAvcSAfHNC2j4jTpe%2BYZuX6xtql1iGhMSrNHIoUGvAXtBeLAxJ7NjzWEjFi2i%2BxmMNVDlcqNC1zG2F4IUkgxl"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc173a00cd60-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27442&min_rtt=26319&rtt_var=7525&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2858&recv_bytes=584&delivery_rate=134095&cwnd=215&unsent_bytes=0&cid=4831d9eb51171422&ts=245&x=0"
  • flag-us
    DNS
    framekgirus.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
    framekgirus.shop
    IN A
    172.67.179.160
    framekgirus.shop
    IN A
    104.21.18.19
  • flag-us
    POST
    https://framekgirus.shop/api
    BitLockerToGo.exe
    Remote address:
    172.67.179.160:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: framekgirus.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=6na7j2gnefn9ps6cdf0cqfdrgs; expires=Tue, 29 Apr 2025 23:10:13 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4W%2BPzU6vKCQyc82QfllIBdOhu7ZwLT1QXAkjU%2Fvd2hrG5pyA8Z58IE6%2FAKXYkaMgYKaOIeaLmK1%2FM64X6AESEx5%2F2UqyRu8Kbm7vT7ipOogtCzCQ6CvA6WKH9uCBDsRoMTj"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc194d7a63a0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27849&min_rtt=26190&rtt_var=8305&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=127637&cwnd=234&unsent_bytes=0&cid=2d834d889c983ee9&ts=223&x=0"
  • flag-us
    DNS
    tirepublicerj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
    tirepublicerj.shop
    IN A
    104.21.16.1
    tirepublicerj.shop
    IN A
    104.21.80.1
    tirepublicerj.shop
    IN A
    104.21.48.1
    tirepublicerj.shop
    IN A
    104.21.96.1
    tirepublicerj.shop
    IN A
    104.21.112.1
    tirepublicerj.shop
    IN A
    104.21.32.1
    tirepublicerj.shop
    IN A
    104.21.64.1
  • flag-us
    DNS
    noisycuttej.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
    noisycuttej.shop
    IN A
    104.21.71.146
    noisycuttej.shop
    IN A
    172.67.170.178
  • flag-us
    POST
    https://noisycuttej.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.71.146:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: noisycuttej.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=h6l1thck6pu3c5mjs5qlj2nvfk; expires=Tue, 29 Apr 2025 23:10:13 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3bxNlFkhhSmkNQ95Jurbupw6DNpmKoiQ9Cv2R3A1gKX90gWXxClzHSKdhnJT3Lx9QKCvmQBOfI2Kl9CACFAbSUGp%2BMafrkQ4IobsaWuySHYhwd%2F2DclXC%2BCm7TkvkqgAOge%2B"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc1d48bc7198-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27153&min_rtt=26091&rtt_var=7235&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2860&recv_bytes=584&delivery_rate=135402&cwnd=243&unsent_bytes=0&cid=8a161e8f8b9a6d26&ts=244&x=0"
  • flag-us
    DNS
    rabidcowse.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
    rabidcowse.shop
    IN A
    172.67.156.127
    rabidcowse.shop
    IN A
    104.21.7.224
  • flag-us
    POST
    https://rabidcowse.shop/api
    BitLockerToGo.exe
    Remote address:
    172.67.156.127:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: rabidcowse.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=um1mar0ac9jm4v51jvms13ehs3; expires=Tue, 29 Apr 2025 23:10:14 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AjiYFBAmOpamivxtxehbTDJjgekQemFxz1wQ4Uz7iT3t11fVpkTB4aYwB69CU7B7aTJ3RgfonwVxn00fY%2BrJkOP7un6iF76G0LDjv5aFnI2PdNZzwxF7p6tcRl1mm7Z84zI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc1f582ccdad-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27413&min_rtt=26344&rtt_var=7423&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=583&delivery_rate=132610&cwnd=236&unsent_bytes=0&cid=228e5fefce58fd94&ts=239&x=0"
  • flag-us
    DNS
    cloudewahsj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
    cloudewahsj.shop
    IN A
    104.21.96.1
    cloudewahsj.shop
    IN A
    104.21.16.1
    cloudewahsj.shop
    IN A
    104.21.64.1
    cloudewahsj.shop
    IN A
    104.21.48.1
    cloudewahsj.shop
    IN A
    104.21.32.1
    cloudewahsj.shop
    IN A
    104.21.112.1
    cloudewahsj.shop
    IN A
    104.21.80.1
  • flag-us
    POST
    https://cloudewahsj.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.96.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: cloudewahsj.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 05:23:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=gcc0t0ubpjjh0dp3m9te7tg8u4; expires=Tue, 29 Apr 2025 23:10:14 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2Fwki43f8xmtNHy7IcAXUlthcFkq%2FDkcQLamQKOPgLAxcTIOgaQnvRWsi%2BdHzyWr3fQXIyKGzKlYxbIGTaW0TAWwP0rJxeq%2B8i9o9%2FyM7Ffr2oa3YCr%2Bxv4Pez9iErag%2F1b2"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fc8cc216bc86364-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27827&min_rtt=26474&rtt_var=8001&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=584&delivery_rate=134805&cwnd=248&unsent_bytes=0&cid=e6dca9687a2d0858&ts=234&x=0"
  • flag-us
    DNS
    steamcommunity.com
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.143.155
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    BitLockerToGo.exe
    Remote address:
    23.214.143.155:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sat, 04 Jan 2025 05:23:35 GMT
    Content-Length: 35588
    Connection: keep-alive
    Set-Cookie: sessionid=0ef0b16c0486e92eef9e91d5; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    lev-tolstoi.com
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    lev-tolstoi.com
    IN A
    Response
  • 172.67.211.3:443
    https://wonderfulbelif.click/api
    tls, http
    BitLockerToGo.exe
    984 B
    4.5kB
    9
    9

    HTTP Request

    POST https://wonderfulbelif.click/api

    HTTP Response

    200
  • 104.21.96.1:443
    https://abruptyopsn.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.7kB
    10
    10

    HTTP Request

    POST https://abruptyopsn.shop/api

    HTTP Response

    200
  • 104.21.41.51:443
    https://wholersorie.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
    4.4kB
    9
    9

    HTTP Request

    POST https://wholersorie.shop/api

    HTTP Response

    200
  • 172.67.179.160:443
    https://framekgirus.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
    4.4kB
    9
    9

    HTTP Request

    POST https://framekgirus.shop/api

    HTTP Response

    200
  • 104.21.16.1:443
    tirepublicerj.shop
    tls
    BitLockerToGo.exe
    982 B
    4.5kB
    9
    9
  • 104.21.71.146:443
    https://noisycuttej.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
    4.4kB
    9
    9

    HTTP Request

    POST https://noisycuttej.shop/api

    HTTP Response

    200
  • 172.67.156.127:443
    https://rabidcowse.shop/api
    tls, http
    BitLockerToGo.exe
    979 B
    4.4kB
    9
    9

    HTTP Request

    POST https://rabidcowse.shop/api

    HTTP Response

    200
  • 104.21.96.1:443
    https://cloudewahsj.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
    4.5kB
    9
    9

    HTTP Request

    POST https://cloudewahsj.shop/api

    HTTP Response

    200
  • 23.214.143.155:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    BitLockerToGo.exe
    1.5kB
    42.9kB
    21
    36

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    wonderfulbelif.click
    dns
    BitLockerToGo.exe
    66 B
    98 B
    1
    1

    DNS Request

    wonderfulbelif.click

    DNS Response

    172.67.211.3
    104.21.69.179

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    BitLockerToGo.exe
    62 B
    119 B
    1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    BitLockerToGo.exe
    62 B
    174 B
    1
    1

    DNS Request

    abruptyopsn.shop

    DNS Response

    104.21.96.1
    104.21.80.1
    104.21.16.1
    104.21.112.1
    104.21.64.1
    104.21.32.1
    104.21.48.1

  • 8.8.8.8:53
    wholersorie.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    wholersorie.shop

    DNS Response

    104.21.41.51
    172.67.160.114

  • 8.8.8.8:53
    framekgirus.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    framekgirus.shop

    DNS Response

    172.67.179.160
    104.21.18.19

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    BitLockerToGo.exe
    64 B
    176 B
    1
    1

    DNS Request

    tirepublicerj.shop

    DNS Response

    104.21.16.1
    104.21.80.1
    104.21.48.1
    104.21.96.1
    104.21.112.1
    104.21.32.1
    104.21.64.1

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    noisycuttej.shop

    DNS Response

    104.21.71.146
    172.67.170.178

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    BitLockerToGo.exe
    61 B
    93 B
    1
    1

    DNS Request

    rabidcowse.shop

    DNS Response

    172.67.156.127
    104.21.7.224

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    BitLockerToGo.exe
    62 B
    174 B
    1
    1

    DNS Request

    cloudewahsj.shop

    DNS Response

    104.21.96.1
    104.21.16.1
    104.21.64.1
    104.21.48.1
    104.21.32.1
    104.21.112.1
    104.21.80.1

  • 8.8.8.8:53
    steamcommunity.com
    dns
    BitLockerToGo.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.143.155

  • 8.8.8.8:53
    lev-tolstoi.com
    dns
    BitLockerToGo.exe
    61 B
    134 B
    1
    1

    DNS Request

    lev-tolstoi.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab86CE.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar86F0.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2144-0-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2144-1-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2144-2-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2144-3-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/2144-74-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.