Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-04...ch.exe

windows7-x64

10

2025-01-04...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 09:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-04_67c0ed53f5a4a23f87792fb49f6620d4_frostygoop_poet-rat_snatch.exe

  • Size

    7.1MB

  • MD5

    67c0ed53f5a4a23f87792fb49f6620d4

  • SHA1

    c06ad38ab73088f9720d2cc12e84d32df92c0719

  • SHA256

    102ba13de3ff5a61e31e5f737b2f93aa1a77807278fbd2632501f5217051957e

  • SHA512

    bf230cd0e8073c58fb963df282717ca9a98d1b5e11bc0387fa3443e6d023cd17a556640e422c843dd08952aba6106b9826dd3d978e2c168caa7c886bfae40e5e

  • SSDEEP

    49152:HNXM/JtyXby3HXLv4/sp/TiJkSPrOzq1cnzl/oWsM7sgyRgCPwpyl0it0iaVqkEe:tXr430/sp/YVPvcJpUB2jrEDqcHbJ

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-04_67c0ed53f5a4a23f87792fb49f6620d4_frostygoop_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-04_67c0ed53f5a4a23f87792fb49f6620d4_frostygoop_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2796

Network

  • flag-us
    DNS
    cureprouderio.click
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    cureprouderio.click
    IN A
    Response
    cureprouderio.click
    IN A
    104.21.4.114
    cureprouderio.click
    IN A
    172.67.132.7
  • flag-us
    POST
    https://cureprouderio.click/api
    BitLockerToGo.exe
    Remote address:
    104.21.4.114:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: cureprouderio.click
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=rslimdrgijefg248d16h126l4a; expires=Wed, 30 Apr 2025 03:36:13 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9yr%2BEkZYJpdOv8PHv4N%2BA%2FO5RJaS%2BoRiShA8KX1A2fWBNn4GwSqdKlPbK3B2d3A%2FJR2z%2BkmZ49pvlXoQ5HUh50na%2BBseZGe9pi%2BFneCb6Oh7dJLhVe1%2FpYSc6HVYXZMctd0GLmEo"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51c15820cd8d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60945&min_rtt=59378&rtt_var=19593&sent=7&recv=7&lost=0&retrans=1&sent_bytes=2927&recv_bytes=587&delivery_rate=59409&cwnd=252&unsent_bytes=0&cid=9d5792fc1caa2fab&ts=655&x=0"
  • flag-us
    DNS
    nearycrepso.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
    abruptyopsn.shop
    IN A
    104.21.80.1
    abruptyopsn.shop
    IN A
    104.21.96.1
    abruptyopsn.shop
    IN A
    104.21.48.1
    abruptyopsn.shop
    IN A
    104.21.16.1
    abruptyopsn.shop
    IN A
    104.21.112.1
    abruptyopsn.shop
    IN A
    104.21.64.1
    abruptyopsn.shop
    IN A
    104.21.32.1
  • flag-us
    POST
    https://abruptyopsn.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.80.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: abruptyopsn.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=p2eui9bev317ias5mkt0b5i648; expires=Wed, 30 Apr 2025 03:36:14 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhY8zhOjbPUtcZIVzQAUkaOYOnEUOl1Y8Ngdi6dT%2FPmQ7ZP%2Fn8DVgGBuFKatFlcIbI7vyV67sgF6HUx3MogyCto%2BbeAWZORbXeUejLHKAYWXFn2MewXW8qtJqYG8xeAMI0fv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51c71e8a3da0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61003&min_rtt=59322&rtt_var=20021&sent=7&recv=9&lost=0&retrans=1&sent_bytes=3127&recv_bytes=584&delivery_rate=56230&cwnd=253&unsent_bytes=0&cid=69587d424f72a232&ts=646&x=0"
  • flag-us
    DNS
    wholersorie.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
    wholersorie.shop
    IN A
    172.67.160.114
    wholersorie.shop
    IN A
    104.21.41.51
  • flag-us
    POST
    https://wholersorie.shop/api
    BitLockerToGo.exe
    Remote address:
    172.67.160.114:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: wholersorie.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:36 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=a9lvl868adgenfij2684ak8dq4; expires=Wed, 30 Apr 2025 03:36:15 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FxqvNTl77i06fRS9TVKEKlbBRYV768O1i6OZMqMcs7D8VZxLg%2FUfdB7jRQ1%2BCFhVvdmJ%2FVuT8aelcWfll9rDEvSPmIqLvptdXytn%2FI6KXArQiIJq651sXlYAdJBJ4rYlzd1V"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51cc19264968-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60538&min_rtt=59019&rtt_var=19595&sent=7&recv=7&lost=0&retrans=1&sent_bytes=2918&recv_bytes=584&delivery_rate=57687&cwnd=250&unsent_bytes=0&cid=88fa27394aa054cf&ts=638&x=0"
  • flag-us
    DNS
    framekgirus.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
    framekgirus.shop
    IN A
    172.67.179.160
    framekgirus.shop
    IN A
    104.21.18.19
  • flag-us
    DNS
    tirepublicerj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
    tirepublicerj.shop
    IN A
    104.21.112.1
    tirepublicerj.shop
    IN A
    104.21.64.1
    tirepublicerj.shop
    IN A
    104.21.48.1
    tirepublicerj.shop
    IN A
    104.21.32.1
    tirepublicerj.shop
    IN A
    104.21.80.1
    tirepublicerj.shop
    IN A
    104.21.96.1
    tirepublicerj.shop
    IN A
    104.21.16.1
  • flag-us
    POST
    https://tirepublicerj.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.112.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: tirepublicerj.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:37 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=fo7nt7srqq0nhcdkbfjnbbsmdm; expires=Wed, 30 Apr 2025 03:36:16 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4uWXxg6T39ol4XXFv0Tb72wdiQZH30ndz5s5qbRUcbWmmjNkwXKwTeGVgGNa6FpmCYP8a4Lnbe1ExQl9z4P0WTg6OiFHs07EHkKllbuEt9deiAPrrlp8QQYaHEGwGabp3b3ubMo%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51d2985abd6f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=65570&min_rtt=62127&rtt_var=17484&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=586&delivery_rate=61810&cwnd=253&unsent_bytes=0&cid=35971cde1fa70102&ts=338&x=0"
  • flag-us
    DNS
    noisycuttej.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
    noisycuttej.shop
    IN A
    104.21.71.146
    noisycuttej.shop
    IN A
    172.67.170.178
  • flag-us
    DNS
    noisycuttej.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
  • flag-us
    POST
    https://noisycuttej.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.71.146:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: noisycuttej.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:38 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=acuac5u2co7odprhdercns7vns; expires=Wed, 30 Apr 2025 03:36:17 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ljJR3Go4v2rV7ZY2ec6hoCaMebbqN9UzLYvFNveIqMQ9OJl7enzJFBdg9%2FYbbLeG0qH%2FRxLSutd1V9X%2Bs2iJwpsrZAKr7SLbjefU3JcEbG6Ruhc1uifsS18vKHhzn1T60xWf"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51dc2889d1fe-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61186&min_rtt=59413&rtt_var=15584&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=584&delivery_rate=60971&cwnd=253&unsent_bytes=0&cid=72454cdc66dd1e58&ts=305&x=0"
  • flag-us
    DNS
    rabidcowse.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
    rabidcowse.shop
    IN A
    172.67.156.127
    rabidcowse.shop
    IN A
    104.21.7.224
  • flag-us
    POST
    https://rabidcowse.shop/api
    BitLockerToGo.exe
    Remote address:
    172.67.156.127:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: rabidcowse.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=1s1gbqcjpidt96t5876lgheb47; expires=Wed, 30 Apr 2025 03:36:18 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RVEjAqcNqmZew9Q4%2B1jeSIJRp3MJ0S6f5r9uw%2B06eJloiDR5pH8IVqPCwpPF3KjikVoLjaA%2BRI4b7of9cvkMbGuY0lP3Grr%2FYH6wJf7FAGWthGDKhShY26yQwEQNYuoXcIc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51df4f4763dc-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=62110&min_rtt=59846&rtt_var=15690&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2853&recv_bytes=583&delivery_rate=60972&cwnd=196&unsent_bytes=0&cid=42b2789088a0397b&ts=333&x=0"
  • flag-us
    DNS
    cloudewahsj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
    cloudewahsj.shop
    IN A
    104.21.112.1
    cloudewahsj.shop
    IN A
    104.21.32.1
    cloudewahsj.shop
    IN A
    104.21.80.1
    cloudewahsj.shop
    IN A
    104.21.96.1
    cloudewahsj.shop
    IN A
    104.21.64.1
    cloudewahsj.shop
    IN A
    104.21.48.1
    cloudewahsj.shop
    IN A
    104.21.16.1
  • flag-us
    POST
    https://cloudewahsj.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.112.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: cloudewahsj.shop
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 09:49:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=23o3ugqbplro82tc7frjb59ekr; expires=Wed, 30 Apr 2025 03:36:18 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XOSQhlh6lN8uN4Hlt2Zqpglu5d0K%2BoXOb3JlLv4P901G9tslocVmxvnVxFKP3OZm4ZuC%2F8cmlYGE7R1plwOEQaplx7U0xTmo29VofrI6BqVMjfFGXa1%2B%2BUFOq7CaxLMWVFfJ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fca51e28883cd14-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61700&min_rtt=59244&rtt_var=16326&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=584&delivery_rate=60664&cwnd=253&unsent_bytes=0&cid=8d45fb77b03ec242&ts=325&x=0"
  • flag-us
    DNS
    steamcommunity.com
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.143.155
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    BitLockerToGo.exe
    Remote address:
    23.214.143.155:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sat, 04 Jan 2025 09:49:40 GMT
    Content-Length: 35588
    Connection: keep-alive
    Set-Cookie: sessionid=1e80244b15e3d543a8604d8c; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    lev-tolstoi.com
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    lev-tolstoi.com
    IN A
    Response
  • 104.21.4.114:443
    https://cureprouderio.click/api
    tls, http
    BitLockerToGo.exe
    1.4kB
     4.6kB
     11
    10

    HTTP Request

    POST https://cureprouderio.click/api

    HTTP Response

    200
  • 104.21.80.1:443
    https://abruptyopsn.shop/api
    tls, http
    BitLockerToGo.exe
    1.1kB
     4.7kB
     11
    10

    HTTP Request

    POST https://abruptyopsn.shop/api

    HTTP Response

    200
  • 172.67.160.114:443
    https://wholersorie.shop/api
    tls, http
    BitLockerToGo.exe
    1.4kB
     4.5kB
     11
    10

    HTTP Request

    POST https://wholersorie.shop/api

    HTTP Response

    200
  • 172.67.179.160:443
    framekgirus.shop
    tls
    BitLockerToGo.exe
    980 B
     4.4kB
     9
    9
  • 104.21.112.1:443
    https://tirepublicerj.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
     4.5kB
     10
    10

    HTTP Request

    POST https://tirepublicerj.shop/api

    HTTP Response

    200
  • 104.21.71.146:443
    https://noisycuttej.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
     4.4kB
     9
    9

    HTTP Request

    POST https://noisycuttej.shop/api

    HTTP Response

    200
  • 172.67.156.127:443
    https://rabidcowse.shop/api
    tls, http
    BitLockerToGo.exe
    979 B
     4.4kB
     9
    9

    HTTP Request

    POST https://rabidcowse.shop/api

    HTTP Response

    200
  • 104.21.112.1:443
    https://cloudewahsj.shop/api
    tls, http
    BitLockerToGo.exe
    980 B
     4.4kB
     9
    9

    HTTP Request

    POST https://cloudewahsj.shop/api

    HTTP Response

    200
  • 23.214.143.155:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    BitLockerToGo.exe
    1.6kB
     42.9kB
     24
    37

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    cureprouderio.click
    dns
    BitLockerToGo.exe
    65 B
     97 B
     1
    1

    DNS Request

    cureprouderio.click

    DNS Response

    104.21.4.114
    172.67.132.7

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    BitLockerToGo.exe
    62 B
     119 B
     1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    BitLockerToGo.exe
    62 B
     174 B
     1
    1

    DNS Request

    abruptyopsn.shop

    DNS Response

    104.21.80.1
    104.21.96.1
    104.21.48.1
    104.21.16.1
    104.21.112.1
    104.21.64.1
    104.21.32.1

  • 8.8.8.8:53
    wholersorie.shop
    dns
    BitLockerToGo.exe
    62 B
     94 B
     1
    1

    DNS Request

    wholersorie.shop

    DNS Response

    172.67.160.114
    104.21.41.51

  • 8.8.8.8:53
    framekgirus.shop
    dns
    BitLockerToGo.exe
    62 B
     94 B
     1
    1

    DNS Request

    framekgirus.shop

    DNS Response

    172.67.179.160
    104.21.18.19

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    BitLockerToGo.exe
    64 B
     176 B
     1
    1

    DNS Request

    tirepublicerj.shop

    DNS Response

    104.21.112.1
    104.21.64.1
    104.21.48.1
    104.21.32.1
    104.21.80.1
    104.21.96.1
    104.21.16.1

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    BitLockerToGo.exe
    124 B
     94 B
     2
    1

    DNS Request

    noisycuttej.shop

    DNS Request

    noisycuttej.shop

    DNS Response

    104.21.71.146
    172.67.170.178

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    BitLockerToGo.exe
    61 B
     93 B
     1
    1

    DNS Request

    rabidcowse.shop

    DNS Response

    172.67.156.127
    104.21.7.224

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    BitLockerToGo.exe
    62 B
     174 B
     1
    1

    DNS Request

    cloudewahsj.shop

    DNS Response

    104.21.112.1
    104.21.32.1
    104.21.80.1
    104.21.96.1
    104.21.64.1
    104.21.48.1
    104.21.16.1

  • 8.8.8.8:53
    steamcommunity.com
    dns
    BitLockerToGo.exe
    64 B
     80 B
     1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.143.155

  • 8.8.8.8:53
    lev-tolstoi.com
    dns
    BitLockerToGo.exe
    61 B
     134 B
     1
    1

    DNS Request

    lev-tolstoi.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab191E.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1931.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2796-0-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2796-3-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2796-2-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2796-1-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2796-74-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.