Analysis

  • max time kernel
    93s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 10:49

General

  • Target

    2025-01-05_9fa984f10a6fe0b8d692e932a8407d15_frostygoop_poet-rat_snatch.exe

  • Size

    9.5MB

  • MD5

    9fa984f10a6fe0b8d692e932a8407d15

  • SHA1

    9cecb394f1b3aa835b25f6b87b7061352327ec1b

  • SHA256

    590b47db4ed9f8a998734698caa65414ecf52d2eb98eb17febc462b9274fa0ad

  • SHA512

    35f2105019f383a17435e571a86372369c91fa9cbe01a99aa8f1b0ba5ea64c9fd09f14a8fcb3eb346c34dc64933cd430502475b66b400eba4e65b2a8076573f1

  • SSDEEP

    98304:IuRtIIs6Ks1Gus/JmCkdNjb1o3MK030WgFuqIwTJmk+h:Vq7kdNS8/08mJmVh

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-05_9fa984f10a6fe0b8d692e932a8407d15_frostygoop_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-05_9fa984f10a6fe0b8d692e932a8407d15_frostygoop_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:100
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1504

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    151.133.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.133.100.95.in-addr.arpa
    IN PTR
    Response
    151.133.100.95.in-addr.arpa
    IN PTR
    a95-100-133-151deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    aboriginalkyv.click
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    aboriginalkyv.click
    IN A
    Response
    aboriginalkyv.click
    IN A
    172.67.186.29
    aboriginalkyv.click
    IN A
    104.21.76.30
  • flag-us
    POST
    https://aboriginalkyv.click/api
    BitLockerToGo.exe
    Remote address:
    172.67.186.29:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: aboriginalkyv.click
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=g696em1ifanqdnah2bfq6gpqe7; expires=Thu, 01 May 2025 04:37:03 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3DS%2FRu6BuHa%2FvNXbdfYMbMu4M5sDEvmDHFeTa9dtRS3od0usZw3DOdJkCKdN34m04o5g3p89gFdxlzBmPslOvzQJeIC3biSwumxXq1pFHaVfxzqI8pZuu9%2B9RxflZNTKqRdqayV"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e83b4d56e900-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=65331&min_rtt=59063&rtt_var=24557&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3305&recv_bytes=611&delivery_rate=62298&cwnd=252&unsent_bytes=0&cid=96d0cc3cec940222&ts=354&x=0"
  • flag-us
    DNS
    nearycrepso.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
    abruptyopsn.shop
    IN A
    104.21.96.1
    abruptyopsn.shop
    IN A
    104.21.48.1
    abruptyopsn.shop
    IN A
    104.21.64.1
    abruptyopsn.shop
    IN A
    104.21.16.1
    abruptyopsn.shop
    IN A
    104.21.32.1
    abruptyopsn.shop
    IN A
    104.21.112.1
    abruptyopsn.shop
    IN A
    104.21.80.1
  • flag-us
    POST
    https://abruptyopsn.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.96.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: abruptyopsn.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=gvv2r2ekfsvpusmnb217npq5gg; expires=Thu, 01 May 2025 04:37:03 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LXtYPxJJNqy59CdPBbC5ai6HHk6ziAonFc0i9ZGWbkMUB%2BUudJ2%2BgHt7rRutbMf3vWbseaI4xlgPjedccvxoTGhMZ4qUMb8pdbbDa6gowLe5Zxw3qFBqr%2BFahBa88WuTmPTH"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e83ee9c3ef25-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=62116&min_rtt=59302&rtt_var=16570&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3508&recv_bytes=605&delivery_rate=51084&cwnd=253&unsent_bytes=0&cid=341aa38454018ab2&ts=301&x=0"
  • flag-us
    DNS
    wholersorie.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
    wholersorie.shop
    IN A
    104.21.41.51
    wholersorie.shop
    IN A
    172.67.160.114
  • flag-us
    POST
    https://wholersorie.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.41.51:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: wholersorie.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=1l0h2023pbakkrndkfn0uv1t9n; expires=Thu, 01 May 2025 04:37:04 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C1%2F%2BVrLwCoBYUBmAwJz%2Bng%2FW5InDI8wNW3QN%2BMqCRfD4Ki%2B9OiMdbIknOP0TgWWGKabQGkv5cvTSvFOwwu1wuaLC5G7E35X%2B3Ef6KsrWwgg1qxZCjbwURUvtPPXnDkNPYmZq"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e841fa48e913-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60853&min_rtt=59161&rtt_var=14916&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=62793&cwnd=253&unsent_bytes=0&cid=cc20fd46427e8f20&ts=306&x=0"
  • flag-us
    DNS
    29.186.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.186.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.96.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.96.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    framekgirus.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
    framekgirus.shop
    IN A
    104.21.18.19
    framekgirus.shop
    IN A
    172.67.179.160
  • flag-us
    POST
    https://framekgirus.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.18.19:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: framekgirus.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=mqd2s2p5r88psss57c1pm3jjmq; expires=Thu, 01 May 2025 04:37:04 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VHo5%2FdAmRJsR1WGY5J8peVQxsiRe2hNyjXGc%2FXUFq9%2BuxWmcUKgBQFPm1WmYpxAfHEMTwrCswNpcQK4K6l6dGArg1xIjQZNc0dTNziJiyhaeXuV94NqV6gdIxTBrOHvLKqkY"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e8450b6ccd82-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61618&min_rtt=59320&rtt_var=16369&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3295&recv_bytes=605&delivery_rate=62071&cwnd=253&unsent_bytes=0&cid=7904223ef7d5614f&ts=326&x=0"
  • flag-us
    DNS
    tirepublicerj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
    tirepublicerj.shop
    IN A
    104.21.48.1
    tirepublicerj.shop
    IN A
    104.21.64.1
    tirepublicerj.shop
    IN A
    104.21.16.1
    tirepublicerj.shop
    IN A
    104.21.32.1
    tirepublicerj.shop
    IN A
    104.21.96.1
    tirepublicerj.shop
    IN A
    104.21.112.1
    tirepublicerj.shop
    IN A
    104.21.80.1
  • flag-us
    POST
    https://tirepublicerj.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.48.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: tirepublicerj.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=0c4irmcehmhcviqke67n1ep5d1; expires=Thu, 01 May 2025 04:37:05 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q8%2Fd%2FtDZpieDY7xP2p5tqem%2Byky5g%2BH%2FYEkd4tA14ku01xtgY85593exUssa%2FZ2m13ro3wK69zFdKh4uCcR4K7O0Qo9CgwPQIUZmGTsERySCiDQZS5rcwwVDfHrkpoypBbhSnKQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e8483e4e93f2-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60974&min_rtt=59306&rtt_var=15512&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=609&delivery_rate=63145&cwnd=253&unsent_bytes=0&cid=e369adbfc1be79d2&ts=292&x=0"
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    51.41.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    51.41.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.18.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.18.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    noisycuttej.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
    noisycuttej.shop
    IN A
    104.21.71.146
    noisycuttej.shop
    IN A
    172.67.170.178
  • flag-us
    POST
    https://noisycuttej.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.71.146:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: noisycuttej.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:26 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=9vimnk4rnd6r0eakbojd22tau7; expires=Thu, 01 May 2025 04:37:05 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9EtaE8MAS282YD7eAA36aOFBW4jkHlXq%2B7Uwo%2Bxb5pkv%2BoJnc3XAAV7TCxerVpueS71xFrqgA3q1t6sxRp%2BNHMKbcz2nSUX14S3nCzZY4xFmCygRUgeM%2FIU1z6dVISfZn%2BME"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e84b3bdf63c4-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=60808&min_rtt=59183&rtt_var=15023&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=62881&cwnd=250&unsent_bytes=0&cid=60083ab698b957d5&ts=300&x=0"
  • flag-us
    DNS
    rabidcowse.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
    rabidcowse.shop
    IN A
    172.67.156.127
    rabidcowse.shop
    IN A
    104.21.7.224
  • flag-us
    POST
    https://rabidcowse.shop/api
    BitLockerToGo.exe
    Remote address:
    172.67.156.127:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: rabidcowse.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=aug5946q5iai0bjkdgvfq9dqre; expires=Thu, 01 May 2025 04:37:06 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59AorkO%2FqNPc806a%2By8%2BSu%2BUtA%2B%2FUtf8m%2FPD%2FkvlcMn0nFF7OwNpyVoCeM2I5T8CC9MCF0D%2BispPzDBhRH8R6SGbUoeq81K8dS9K3T7F28TEy7lMUzFsLRk224u8dx5fW5k%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e84e3d1194de-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=59800&min_rtt=59077&rtt_var=13585&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=63469&cwnd=253&unsent_bytes=0&cid=4aa4c561d39f57a8&ts=301&x=0"
  • flag-us
    DNS
    1.48.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.48.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.71.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.71.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    cloudewahsj.shop
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
    cloudewahsj.shop
    IN A
    104.21.80.1
    cloudewahsj.shop
    IN A
    104.21.96.1
    cloudewahsj.shop
    IN A
    104.21.64.1
    cloudewahsj.shop
    IN A
    104.21.112.1
    cloudewahsj.shop
    IN A
    104.21.16.1
    cloudewahsj.shop
    IN A
    104.21.32.1
    cloudewahsj.shop
    IN A
    104.21.48.1
  • flag-us
    POST
    https://cloudewahsj.shop/api
    BitLockerToGo.exe
    Remote address:
    104.21.80.1:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: cloudewahsj.shop
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 10:50:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=ng96s8p1n7uqemv6o0tdt25fdo; expires=Thu, 01 May 2025 04:37:06 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i44K8lnywoJBpYFlO1OblFSwUz7lsRrlzZUoEcLJ8%2BsRhsUp8wQJ21p7w0i7sPRbLigGlx1x3KOguOr1EAh8GGPPSdKYW6zZ8ESPurSOLUKyCc%2Bc688cZBwc7q2%2F%2FGCcKeJ2"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fd2e8515ff63853-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=61354&min_rtt=59287&rtt_var=15495&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=605&delivery_rate=63017&cwnd=234&unsent_bytes=0&cid=0dae026c157a392d&ts=311&x=0"
  • flag-us
    DNS
    steamcommunity.com
    BitLockerToGo.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.131.75
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    BitLockerToGo.exe
    Remote address:
    104.82.131.75:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sun, 05 Jan 2025 10:50:28 GMT
    Content-Length: 25984
    Connection: keep-alive
    Set-Cookie: sessionid=a57c1bb589bf9614bcb8d860; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    127.156.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    127.156.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.80.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.80.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.131.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.131.82.104.in-addr.arpa
    IN PTR
    Response
    75.131.82.104.in-addr.arpa
    IN PTR
    a104-82-131-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.186.29:443
    https://aboriginalkyv.click/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://aboriginalkyv.click/api

    HTTP Response

    200
  • 104.21.96.1:443
    https://abruptyopsn.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    5.1kB
    9
    9

    HTTP Request

    POST https://abruptyopsn.shop/api

    HTTP Response

    200
  • 104.21.41.51:443
    https://wholersorie.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://wholersorie.shop/api

    HTTP Response

    200
  • 104.21.18.19:443
    https://framekgirus.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://framekgirus.shop/api

    HTTP Response

    200
  • 104.21.48.1:443
    https://tirepublicerj.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://tirepublicerj.shop/api

    HTTP Response

    200
  • 104.21.71.146:443
    https://noisycuttej.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://noisycuttej.shop/api

    HTTP Response

    200
  • 172.67.156.127:443
    https://rabidcowse.shop/api
    tls, http
    BitLockerToGo.exe
    999 B
    4.9kB
    9
    9

    HTTP Request

    POST https://rabidcowse.shop/api

    HTTP Response

    200
  • 104.21.80.1:443
    https://cloudewahsj.shop/api
    tls, http
    BitLockerToGo.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://cloudewahsj.shop/api

    HTTP Response

    200
  • 104.82.131.75:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    BitLockerToGo.exe
    1.3kB
    33.2kB
    17
    29

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    151.133.100.95.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    151.133.100.95.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    aboriginalkyv.click
    dns
    BitLockerToGo.exe
    65 B
    97 B
    1
    1

    DNS Request

    aboriginalkyv.click

    DNS Response

    172.67.186.29
    104.21.76.30

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    BitLockerToGo.exe
    62 B
    119 B
    1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    BitLockerToGo.exe
    62 B
    174 B
    1
    1

    DNS Request

    abruptyopsn.shop

    DNS Response

    104.21.96.1
    104.21.48.1
    104.21.64.1
    104.21.16.1
    104.21.32.1
    104.21.112.1
    104.21.80.1

  • 8.8.8.8:53
    wholersorie.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    wholersorie.shop

    DNS Response

    104.21.41.51
    172.67.160.114

  • 8.8.8.8:53
    29.186.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    29.186.67.172.in-addr.arpa

  • 8.8.8.8:53
    1.96.21.104.in-addr.arpa
    dns
    70 B
    132 B
    1
    1

    DNS Request

    1.96.21.104.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    framekgirus.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    framekgirus.shop

    DNS Response

    104.21.18.19
    172.67.179.160

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    BitLockerToGo.exe
    64 B
    176 B
    1
    1

    DNS Request

    tirepublicerj.shop

    DNS Response

    104.21.48.1
    104.21.64.1
    104.21.16.1
    104.21.32.1
    104.21.96.1
    104.21.112.1
    104.21.80.1

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    51.41.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    51.41.21.104.in-addr.arpa

  • 8.8.8.8:53
    19.18.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    19.18.21.104.in-addr.arpa

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    BitLockerToGo.exe
    62 B
    94 B
    1
    1

    DNS Request

    noisycuttej.shop

    DNS Response

    104.21.71.146
    172.67.170.178

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    BitLockerToGo.exe
    61 B
    93 B
    1
    1

    DNS Request

    rabidcowse.shop

    DNS Response

    172.67.156.127
    104.21.7.224

  • 8.8.8.8:53
    1.48.21.104.in-addr.arpa
    dns
    70 B
    132 B
    1
    1

    DNS Request

    1.48.21.104.in-addr.arpa

  • 8.8.8.8:53
    146.71.21.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    146.71.21.104.in-addr.arpa

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    BitLockerToGo.exe
    62 B
    174 B
    1
    1

    DNS Request

    cloudewahsj.shop

    DNS Response

    104.21.80.1
    104.21.96.1
    104.21.64.1
    104.21.112.1
    104.21.16.1
    104.21.32.1
    104.21.48.1

  • 8.8.8.8:53
    steamcommunity.com
    dns
    BitLockerToGo.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.131.75

  • 8.8.8.8:53
    127.156.67.172.in-addr.arpa
    dns
    73 B
    135 B
    1
    1

    DNS Request

    127.156.67.172.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    1.80.21.104.in-addr.arpa
    dns
    70 B
    132 B
    1
    1

    DNS Request

    1.80.21.104.in-addr.arpa

  • 8.8.8.8:53
    75.131.82.104.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    75.131.82.104.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1504-0-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1504-1-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1504-2-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1504-3-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1504-4-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.