Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
14/01/2025, 19:03 UTC
General
-
Target
Upd_156_983_15.msi
-
Size
1.3MB
-
MD5
0cd2b95df897bd2037edff092699e169
-
SHA1
18c5d3394d9260c2641e06a58847b7a2818b8174
-
SHA256
3e50b308a6366677b3fed9579f8f13dc721ae30b1534591c0ce5e083c1923a9f
-
SHA512
b3015d2beb30d841f0fc1a46baf7b56664c23e10538b519b791d9cc9fc86602811d52eb328c3d7e0832d5dece0019e01985e0e97a63037217574e475f93c95b1
-
SSDEEP
24576:3z+Xe8tCex83Si8UCROEYG3VKcoBR9RXawxz6X3pvtL7rPVU6fB6bAogJQOVe:3D8tCq83KFROEUcoBRqwxMpvt/rPVRB8
Score
10/10
Malware Config
Extracted
Family
lumma
C2
https://handlequarte.shop/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Blocklisted process makes network request 12 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 10 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Upd_156_983_15.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Arrivisme\steamerrorreporter64.exe"C:\Users\Admin\AppData\Local\Temp\Arrivisme\steamerrorreporter64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\FMNbg\steamerrorreporter64.exeC:\Users\Admin\AppData\Roaming\FMNbg\steamerrorreporter64.exe3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "0000000000000324"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
-
DNShandlequarte.shopRemote address:8.8.8.8:53Requesthandlequarte.shopIN AResponsehandlequarte.shopIN A172.67.186.121handlequarte.shopIN A104.21.19.140 -
POSThttps://handlequarte.shop/apiRemote address:172.67.186.121:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: handlequarte.shop
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=beq8kipcsudv203sole2bi6ukn; expires=Sat, 10 May 2025 12:50:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RqOmaYs4hWfzoHXveU2SId2qr4%2FUiXxgWOmRvY4pYbl0%2B6pQOXuNbrqH15MwGCSO41tp3aFKvFfEVtP3bSYTk6ePjBDb5mLaxUaO8WdJr6%2BxpRaIh2w2y9I4V%2FOes%2FIxSKZtgA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe3fb4d7076ef-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=67198&min_rtt=48286&rtt_var=46839&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=585&delivery_rate=69820&cwnd=251&unsent_bytes=0&cid=76c66496d0592c4a&ts=427&x=0"
-
DNSstrivehelpeu.bondRemote address:8.8.8.8:53Requeststrivehelpeu.bondIN AResponsestrivehelpeu.bondIN A104.21.49.103strivehelpeu.bondIN A172.67.161.160
-
POSThttps://strivehelpeu.bond/apiRemote address:104.21.49.103:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: strivehelpeu.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1if63kkdainbeucc4vgs82q2aa; expires=Sat, 10 May 2025 12:50:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jXGgAo7i5deqkALrmJhUlrJNV4LrxJPmr7RspKWmU%2FdcACYIfgWCoKwpvaJ%2FxNiiC4yLF5L8eWNkfH9oKEb1sQ41Dj5gdW%2B%2BYr6XpqBvl25R9AYYmHuAWYAcNLk1wg7dnBOSbA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe3fe1c0fef15-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48832&min_rtt=47224&rtt_var=12549&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=585&delivery_rate=75911&cwnd=253&unsent_bytes=0&cid=16968849acadd68a&ts=282&x=0"
-
DNScrookedfoshe.bondRemote address:8.8.8.8:53Requestcrookedfoshe.bondIN AResponsecrookedfoshe.bondIN A104.21.96.1crookedfoshe.bondIN A104.21.112.1crookedfoshe.bondIN A104.21.48.1crookedfoshe.bondIN A104.21.64.1crookedfoshe.bondIN A104.21.32.1crookedfoshe.bondIN A104.21.80.1crookedfoshe.bondIN A104.21.16.1
-
POSThttps://crookedfoshe.bond/apiRemote address:104.21.96.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: crookedfoshe.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cm565aiinls7t61cvevoej2en4; expires=Sat, 10 May 2025 12:50:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pj%2FgTHn4puwVNmryRBwwS5QKLtP52Xi3%2Fm2If9teGniZv5tS4Jf7UdvqeCUGEdW7qywbEIACgs6HeGq%2FPFUTy2G3UweqUjVtNQML2n6fXJYdVZnPjtZJTXAIrgOVYgFeprJu9Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe400de34ef1b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48489&min_rtt=47020&rtt_var=12583&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=585&delivery_rate=79379&cwnd=253&unsent_bytes=0&cid=0db6b7b7e6c23319&ts=280&x=0"
-
DNSimmolatechallen.bondRemote address:8.8.8.8:53Requestimmolatechallen.bondIN AResponseimmolatechallen.bondIN A104.21.32.87immolatechallen.bondIN A172.67.185.74
-
POSThttps://immolatechallen.bond/apiRemote address:104.21.32.87:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: immolatechallen.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=5p93ibho467b208cugai0a65ck; expires=Sat, 10 May 2025 12:50:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MqYcpJAkR6tPpkANlJNWzduPnZXB2dwagNAqNjpubBaxrWc%2Bm0b%2FDp5GKPc5UaMoPFi8n4OXOLqEQcHs73AEaJs%2BmQyvWC1Sk5T3UUaqavrjvsAbPvOZsMqH5u6KtFpZjTzupzNoOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe403a847cd1c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49044&min_rtt=47555&rtt_var=12381&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2870&recv_bytes=588&delivery_rate=78837&cwnd=253&unsent_bytes=0&cid=535caa3c9bff7917&ts=295&x=0"
-
DNSstripedre-lot.bondRemote address:8.8.8.8:53Requeststripedre-lot.bondIN AResponsestripedre-lot.bondIN A104.21.55.3stripedre-lot.bondIN A172.67.143.194
-
POSThttps://stripedre-lot.bond/apiRemote address:104.21.55.3:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: stripedre-lot.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=hjdqrf6rc5dtlv5ptkv48fifhk; expires=Sat, 10 May 2025 12:50:54 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7bW6hPAp%2FGWDPhplcXGUMbcl8sULsQOGsvv2x6RXXZ3tEBJHYth1Hl3unfVonfSOhAnNqnKg48%2BOqicrLy%2FTzWUz1IoCaCzuVd6Yr7YZibQvS%2FopRHNvqNJas%2BUH0nNudR8iv1g%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe4068eca9488-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49053&min_rtt=47450&rtt_var=12811&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=586&delivery_rate=75552&cwnd=252&unsent_bytes=0&cid=cf9b5ea249df3f83&ts=303&x=0"
-
DNSgrowthselec.bondRemote address:8.8.8.8:53Requestgrowthselec.bondIN AResponsegrowthselec.bondIN A104.21.48.1growthselec.bondIN A104.21.96.1growthselec.bondIN A104.21.32.1growthselec.bondIN A104.21.80.1growthselec.bondIN A104.21.112.1growthselec.bondIN A104.21.64.1growthselec.bondIN A104.21.16.1
-
POSThttps://growthselec.bond/apiRemote address:104.21.48.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: growthselec.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1161tmnn88bt78ee7c5biqinfv; expires=Sat, 10 May 2025 12:50:54 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W3xszKLdwHB6AFWYb1O%2BI9Uv6cQia0HZLkxhWcvVlXYhX0o43cLakoam3mlkCZTXbVFFak5IDTyWrnsDbcM9R%2FmkYIsYI%2BASh%2BfZEwt%2B1JiKibL74Vt1XTqfiiTMHFtvjpah"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe4097c6848c8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49427&min_rtt=46937&rtt_var=13747&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=584&delivery_rate=67822&cwnd=238&unsent_bytes=0&cid=94175f77a50fd9b3&ts=309&x=0"
-
DNSjarry-deatile.bondRemote address:8.8.8.8:53Requestjarry-deatile.bondIN AResponsejarry-deatile.bondIN A104.21.40.131jarry-deatile.bondIN A172.67.151.242
-
POSThttps://jarry-deatile.bond/apiRemote address:104.21.40.131:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: jarry-deatile.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ddhhqmp6ch9jjnv0qsquu7ftnq; expires=Sat, 10 May 2025 12:50:55 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w2A9kobhVPrCg6Qu1FbMSMr800PTIp6k9d04iHhdbV%2BMpMBVUcyc0g8wgka8iKPlVCXr79s3J7zQXYeAaJovyIIPeYVKHeGEZ%2BqORBB440WpvcTt2VUmPeqooueMcjvfcbYq16o%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe40c7a166370-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49281&min_rtt=47030&rtt_var=13585&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=586&delivery_rate=71120&cwnd=253&unsent_bytes=0&cid=b40e7f909293b487&ts=366&x=0"
-
DNSpain-temper.bondRemote address:8.8.8.8:53Requestpain-temper.bondIN AResponsepain-temper.bondIN A104.21.73.40pain-temper.bondIN A172.67.140.28
-
POSThttps://pain-temper.bond/apiRemote address:104.21.73.40:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: pain-temper.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kvg9726hr7eduvi5ii93fbhc66; expires=Sat, 10 May 2025 12:50:55 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tgvaO3ElHN299Z23%2Bm%2Fs%2FvGMaja9zPwCOV9lFhSo9vyFUyQHOawdknwwUzK7M8B0pUvgZxgAv65VO3LVM%2Be2uTZ%2F7ns%2FmOw5yNDD5z2oA7rccsgWfS2KN8UcSSce2OP3m3UZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe40fce529439-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49501&min_rtt=47727&rtt_var=12817&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=584&delivery_rate=75089&cwnd=237&unsent_bytes=0&cid=c92ee9554e9291c2&ts=311&x=0"
-
DNSjarry-fixxer.bondRemote address:8.8.8.8:53Requestjarry-fixxer.bondIN AResponsejarry-fixxer.bondIN A172.67.214.67jarry-fixxer.bondIN A104.21.78.5
-
POSThttps://jarry-fixxer.bond/apiRemote address:172.67.214.67:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: jarry-fixxer.bond
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=urii668i0octuaqtlatirca3vb; expires=Sat, 10 May 2025 12:50:56 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Mxj8nAAyT9p4YFUQwZOyk3r2CzOO99sch4zw1CcCTYKNFbOw3Wu5brSTZSQIGitoSZHbzM2q4uXZtYCFynD28jXZfbrqGum02mL4kEeOxDhIoaebv5AsL4De1IhcNe4ReS2Wg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe412aa79ede7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48638&min_rtt=46735&rtt_var=13198&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2860&recv_bytes=585&delivery_rate=76223&cwnd=249&unsent_bytes=0&cid=deafbf38c872975f&ts=281&x=0"
-
DNSsteamcommunity.comRemote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.214.143.155
-
GEThttps://steamcommunity.com/profiles/76561199724331900Remote address:23.214.143.155:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 14 Jan 2025 19:04:18 GMT
Content-Length: 35608
Connection: keep-alive
Set-Cookie: sessionid=aded8e59f360b50bc0e16f2b; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
DNSaleksandr-block.comRemote address:8.8.8.8:53Requestaleksandr-block.comIN AResponsealeksandr-block.comIN A172.67.164.157aleksandr-block.comIN A104.21.81.211
-
POSThttps://aleksandr-block.com/apiRemote address:172.67.164.157:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: aleksandr-block.com
ResponseHTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 19:04:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cuoc6rmnlo723c6994t3hiapji; expires=Sat, 10 May 2025 12:50:57 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mOkaWL0mP2JGqnm1GEUOcIwgXQ8pjF2Sgqoq4EBn76N307eB%2FKMw71fpbQetP%2FB5EzFoKT%2FD9rAvbo0LoyCnu9AtCftoZUdc3pKv1LfpD7e81k2v7MFyfnhTK2ewEccFhrmbdyw4"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901fe41bad3fbf0f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51372&min_rtt=47304&rtt_var=14326&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2863&recv_bytes=587&delivery_rate=76022&cwnd=253&unsent_bytes=0&cid=8e7dad6a1b095561&ts=339&x=0"
-
172.67.186.121:443https://handlequarte.shop/apitls, http
HTTP Request
POST https://handlequarte.shop/apiHTTP Response
200 -
104.21.49.103:443https://strivehelpeu.bond/apitls, http
HTTP Request
POST https://strivehelpeu.bond/apiHTTP Response
200 -
104.21.96.1:443https://crookedfoshe.bond/apitls, http
HTTP Request
POST https://crookedfoshe.bond/apiHTTP Response
200 -
104.21.32.87:443https://immolatechallen.bond/apitls, http
HTTP Request
POST https://immolatechallen.bond/apiHTTP Response
200 -
104.21.55.3:443https://stripedre-lot.bond/apitls, http
HTTP Request
POST https://stripedre-lot.bond/apiHTTP Response
200 -
104.21.48.1:443https://growthselec.bond/apitls, http
HTTP Request
POST https://growthselec.bond/apiHTTP Response
200 -
104.21.40.131:443https://jarry-deatile.bond/apitls, http
HTTP Request
POST https://jarry-deatile.bond/apiHTTP Response
200 -
104.21.73.40:443https://pain-temper.bond/apitls, http
HTTP Request
POST https://pain-temper.bond/apiHTTP Response
200 -
172.67.214.67:443https://jarry-fixxer.bond/apitls, http
HTTP Request
POST https://jarry-fixxer.bond/apiHTTP Response
200 -
23.214.143.155:443https://steamcommunity.com/profiles/76561199724331900tls, http
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200 -
172.67.164.157:443https://aleksandr-block.com/apitls, http
HTTP Request
POST https://aleksandr-block.com/apiHTTP Response
200
-
8.8.8.8:53handlequarte.shopdns
DNS Request
handlequarte.shop
DNS Response
172.67.186.121104.21.19.140
-
8.8.8.8:53strivehelpeu.bonddns
DNS Request
strivehelpeu.bond
DNS Response
104.21.49.103172.67.161.160
-
8.8.8.8:53crookedfoshe.bonddns
DNS Request
crookedfoshe.bond
DNS Response
104.21.96.1104.21.112.1104.21.48.1104.21.64.1104.21.32.1104.21.80.1104.21.16.1
-
8.8.8.8:53immolatechallen.bonddns
DNS Request
immolatechallen.bond
DNS Response
104.21.32.87172.67.185.74
-
8.8.8.8:53stripedre-lot.bonddns
DNS Request
stripedre-lot.bond
DNS Response
104.21.55.3172.67.143.194
-
8.8.8.8:53growthselec.bonddns
DNS Request
growthselec.bond
DNS Response
104.21.48.1104.21.96.1104.21.32.1104.21.80.1104.21.112.1104.21.64.1104.21.16.1
-
8.8.8.8:53jarry-deatile.bonddns
DNS Request
jarry-deatile.bond
DNS Response
104.21.40.131172.67.151.242
-
8.8.8.8:53pain-temper.bonddns
DNS Request
pain-temper.bond
DNS Response
104.21.73.40172.67.140.28
-
8.8.8.8:53jarry-fixxer.bonddns
DNS Request
jarry-fixxer.bond
DNS Response
172.67.214.67104.21.78.5
-
8.8.8.8:53steamcommunity.comdns
DNS Request
steamcommunity.com
DNS Response
23.214.143.155
-
8.8.8.8:53aleksandr-block.comdns
DNS Request
aleksandr-block.com
DNS Response
172.67.164.157104.21.81.211
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD510a9a28a53c5dbd25f8a6909b4886d44
SHA18cc94fbeccdeff4e128ab2f25105747a53a2d00c
SHA2565d56428da2f643e751e20f509783c82f811abbf64c7160d00554e941c280001c
SHA512319820a3c0eb7a69f03c9876e9c18650ef9dea0b3322461ac0e61a6677717380d87678edbb3caac1ab9aeb26e81630d2f08c7fad04f0baa1b41fa403f430ff15
-
Filesize
815KB
MD547d369b338e13d5e243544b3c5425d7a
SHA12ab78d40a4c4982175aea3c2d1bd0332ceb8c241
SHA25621d3db6c03ddf05e5eec27b047e33de15b0164d79d35acbc0527b44d71515147
SHA512af992af7479139dc5e60f08b3df6fbc6d42e319b446db5352a1fcb6f5334acafb9681f85d75a4f9070fe6b4fcd9530784433934daffe26ea6b137cef96013ab4
-
Filesize
44KB
MD585190373e9b50a5908774e73c2071f78
SHA1385f1def7007914c5a7a1d9c0354e326af4540cc
SHA25656e1e2e1ce9c132f17ff26edcf79da628da2ea94b1e470cadebf23f140f0a3c0
SHA512fd240d3d1b49abb10e26906a7c27b5eda969745cd8f311a9c1f9c914a58a290498f5e01af96dc662fd666fa388bd7be95827a61c190f5b07c020f0b04bdc0996
-
Filesize
394KB
MD5f0be921a6ec41e5622da1b5fc1cefedf
SHA1ffbb7f95015a16731cc0a89ccce844a35cdd0f2e
SHA256366f2728eee842fa56dc03e848199642cdc0eda0b2e156fe941b056e8b5a2b73
SHA51254afd7c740ff21a527c70922b94d8176eff7d8a9cce702091df0f7f0d168dc09db0a6e11d3985e3342959676d8209acd7600eb7bdb7007baa9044831f149070c
-
Filesize
1.0MB
MD59e7610c0543c41dacb1808d5c6bf721c
SHA13fb1a6790ed1f4a972696fc2258d37e1534a41a3
SHA2560330c67dd68cb247b19df4c4db7364d3d6c2865196a3533f2871a2cabf2341e5
SHA512d601d217f7a73a7889b2bb782f05f3e1196d6894183878133258eec1c11b664ef154afef9e5c9afa15fa310e2d9d61a1fc1e959671a7119cbc67061233646751
-
Filesize
1.3MB
MD50cd2b95df897bd2037edff092699e169
SHA118c5d3394d9260c2641e06a58847b7a2818b8174
SHA2563e50b308a6366677b3fed9579f8f13dc721ae30b1534591c0ce5e083c1923a9f
SHA512b3015d2beb30d841f0fc1a46baf7b56664c23e10538b519b791d9cc9fc86602811d52eb328c3d7e0832d5dece0019e01985e0e97a63037217574e475f93c95b1
-
Filesize
641KB
MD5d21dbb34dfab75a0bd4b6d097d716f06
SHA1fd298b1a939fc87f989ca0809fe5b3f284b7fe19
SHA256c8ee8c33a35fbb2eb7aac8bb4eb31c94a8cc3fab11aa5580391667c21f5ead3f
SHA512515ba560964d0b68c46b4b6a285c29e4acf79842ebf632127900cafcd59248a55a93515937600be29490e5677323632f73dd91e2830e95ab1dd6ed71477397e4
-
Filesize
681KB
MD5a395dbffcd50ce79c74c67944ec9a022
SHA1f757fc586be9d450fda9b3a7fcc57e935c1905ba
SHA256516dfce788eca1dac99fdbf3783ad3d59a5e3dbd97d611bcea41b1c4a3cda005
SHA512c7e01d56509d0e2df41942e516ea4c95cbbb0fa677ce8a95c3a05a027eb1b625f6206b408570ed27cff0e42dad29b061132133429adb514c864acad61cb01762
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
1.5MB
-
Filesize
16.4MB