Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 13:52 UTC

General

  • Target

    yFQFu2M.exe

  • Size

    399KB

  • MD5

    c4d092484f2d29e4a11e3bbceba77240

  • SHA1

    79cfc2e6106a6245034fda4e081d8e9e94e1b46f

  • SHA256

    0d90b2123d529cf5d605cc152e1baae0e65788b6098427ab42149a76e88263f3

  • SHA512

    cff1af2afaad224e624e94fe402e88559d30e1ce97a5d13690150894844c3d258a22c8f40ed95162e19f38f0d6412c2369bcadb39605623440b1e870401aec76

  • SSDEEP

    12288:jQXNUkhZcgSbANJtfecc7HAl2DzZJ8y0DcJ:j5kh3+8JnQAoDtGxYJ

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://supplyedtwoz.click/api

https://impolitewearr.biz/api

https://toppyneedus.biz/api

https://lightdeerysua.biz/api

https://suggestyuoz.biz/api

https://hoursuhouy.biz/api

https://mixedrecipew.biz/api

https://affordtempyo.biz/api

https://pleasedcfrown.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe
    "C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe
      "C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe"
      2⤵
        PID:1168
      • C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe
        "C:\Users\Admin\AppData\Local\Temp\yFQFu2M.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 824
        2⤵
        • Program crash
        PID:2808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4420 -ip 4420
      1⤵
        PID:3624

      Network

      • flag-us
        DNS
        supplyedtwoz.click
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        supplyedtwoz.click
        IN A
        Response
        supplyedtwoz.click
        IN A
        104.21.80.1
        supplyedtwoz.click
        IN A
        104.21.32.1
        supplyedtwoz.click
        IN A
        104.21.64.1
        supplyedtwoz.click
        IN A
        104.21.48.1
        supplyedtwoz.click
        IN A
        104.21.16.1
        supplyedtwoz.click
        IN A
        104.21.112.1
        supplyedtwoz.click
        IN A
        104.21.96.1
      • flag-us
        POST
        https://supplyedtwoz.click/api
        yFQFu2M.exe
        Remote address:
        104.21.80.1:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: supplyedtwoz.click
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:03 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=4abqmc5tibfp514fcem5m3i76v; expires=Sun, 18 May 2025 07:40:42 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eHe%2ByA7cJGPHYGGAFPx%2BSFuliHxfncZ9M1ctRjpR78Y9PN2P%2BR3HSH%2Bb1QcK5yUWV1vkskoJVOOv6Gk%2Bc%2FA8oJxPBCMHSQz69e6t8JCdFlByCjbbqAm9o%2FxZQyILxDbiQDo3Nlk%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008a29e6bf650-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=32013&min_rtt=25954&rtt_var=15390&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3304&recv_bytes=609&delivery_rate=107878&cwnd=253&unsent_bytes=0&cid=ceb373e36c5a1b48&ts=283&x=0"
      • flag-us
        DNS
        impolitewearr.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        impolitewearr.biz
        IN A
        Response
        impolitewearr.biz
        IN A
        104.21.80.1
        impolitewearr.biz
        IN A
        104.21.32.1
        impolitewearr.biz
        IN A
        104.21.112.1
        impolitewearr.biz
        IN A
        104.21.16.1
        impolitewearr.biz
        IN A
        104.21.96.1
        impolitewearr.biz
        IN A
        104.21.48.1
        impolitewearr.biz
        IN A
        104.21.64.1
      • flag-us
        POST
        https://impolitewearr.biz/api
        yFQFu2M.exe
        Remote address:
        104.21.80.1:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: impolitewearr.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:03 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=gb6pmtq85tha03614s0d2d9sdu; expires=Sun, 18 May 2025 07:40:42 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gWQ7SY%2F3YIK22qAULYr7yiAfOhprJuM7SnLuvVIGnZ6DryK1OKD3v9DdOePZ2Voa1KnA3sz%2F3KET2%2F83ortiOr%2FCh0Umpc5FPXJ4A81DFwO5LS4ZTNEAom7kiNNYXTB4PErl8A%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008a4abf7776b-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=26699&min_rtt=26004&rtt_var=6572&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3301&recv_bytes=607&delivery_rate=132003&cwnd=253&unsent_bytes=0&cid=398547264a7b23a2&ts=250&x=0"
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        216.87.200.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        216.87.200.23.in-addr.arpa
        IN PTR
        Response
        216.87.200.23.in-addr.arpa
        IN PTR
        a23-200-87-216deploystaticakamaitechnologiescom
      • flag-us
        DNS
        1.80.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.80.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        toppyneedus.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        toppyneedus.biz
        IN A
        Response
        toppyneedus.biz
        IN A
        172.67.149.66
        toppyneedus.biz
        IN A
        104.21.29.142
      • flag-us
        POST
        https://toppyneedus.biz/api
        yFQFu2M.exe
        Remote address:
        172.67.149.66:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: toppyneedus.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:04 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=7tnucsd8n1vcvi7rrvefme47h5; expires=Sun, 18 May 2025 07:40:43 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z4KcroGUYyUs7zD7%2FI7CeK%2BmERxzTaPuuNJlZBmgHREQ2N7vBm6WO64nucax7w5B%2BETjxXdbt%2Ft10pYS4pckFc41jC30kGedD0JWo2SG0x%2FxOHGuDz4FFopd5%2FHQM2%2BVEzI%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008a6dec476d1-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=29368&min_rtt=25834&rtt_var=11880&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=136826&cwnd=253&unsent_bytes=0&cid=2be25ef16698a22c&ts=255&x=0"
      • flag-us
        DNS
        lightdeerysua.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        lightdeerysua.biz
        IN A
        Response
        lightdeerysua.biz
        IN A
        104.21.48.1
        lightdeerysua.biz
        IN A
        104.21.96.1
        lightdeerysua.biz
        IN A
        104.21.80.1
        lightdeerysua.biz
        IN A
        104.21.16.1
        lightdeerysua.biz
        IN A
        104.21.64.1
        lightdeerysua.biz
        IN A
        104.21.112.1
        lightdeerysua.biz
        IN A
        104.21.32.1
      • flag-us
        POST
        https://lightdeerysua.biz/api
        yFQFu2M.exe
        Remote address:
        104.21.48.1:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: lightdeerysua.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:04 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=6jmgsmh77gp3aene7n0b0h7lq5; expires=Sun, 18 May 2025 07:40:43 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g54xdo4VlJD7zEh1a0OdjraQh%2FkSuNumcCg2fP9VXFMpX44T7EDDe42DrujFdtOMWwCVTUiiuLHTIQtuc0BTOnBKqr0vmvH2QXKihRAKTQ68K8gJ0qZsENnvcSwh3ctlC7%2BAzg%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008a8ebcc4141-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=27212&min_rtt=25800&rtt_var=7789&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3303&recv_bytes=607&delivery_rate=130929&cwnd=253&unsent_bytes=0&cid=f769a48b52e6a0dd&ts=244&x=0"
      • flag-us
        DNS
        suggestyuoz.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        suggestyuoz.biz
        IN A
        Response
        suggestyuoz.biz
        IN A
        172.67.185.181
        suggestyuoz.biz
        IN A
        104.21.19.91
      • flag-us
        POST
        https://suggestyuoz.biz/api
        yFQFu2M.exe
        Remote address:
        172.67.185.181:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: suggestyuoz.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:04 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=eekk7p60cl0mck5tkbbkr6ckpa; expires=Sun, 18 May 2025 07:40:43 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XRiTj1MRr4qGotvLv7iwp4ovI5nmLir6A1ADJpRcKzmltmUPQdewqeSqA5DAi0DY87315E6olohWcomKlQK%2FiGsrrsDxGVLphiIqx7WK%2BKB05lZJboBr55I8jOieVgiFo6Y%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008aae89f6329-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=27340&min_rtt=26400&rtt_var=7161&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3295&recv_bytes=603&delivery_rate=132441&cwnd=237&unsent_bytes=0&cid=f702a7097ef93c2b&ts=288&x=0"
      • flag-us
        DNS
        71.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        66.149.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        66.149.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        1.48.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.48.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        159.96.196.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        159.96.196.23.in-addr.arpa
        IN PTR
        Response
        159.96.196.23.in-addr.arpa
        IN PTR
        a23-196-96-159deploystaticakamaitechnologiescom
      • flag-us
        DNS
        hoursuhouy.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        hoursuhouy.biz
        IN A
        Response
        hoursuhouy.biz
        IN A
        172.67.130.178
        hoursuhouy.biz
        IN A
        104.21.3.124
      • flag-us
        POST
        https://hoursuhouy.biz/api
        yFQFu2M.exe
        Remote address:
        172.67.130.178:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: hoursuhouy.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:05 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=3sa9de76grdajeif1ro232ou9i; expires=Sun, 18 May 2025 07:40:44 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T5UG%2FgPHNtysghQcWyOC8nFX0J5xH5KKhqns5rniOL0gAht4Abio6NmMkL8Br8AdQmuA59aPk00%2FDMm8WlVpsVLl7rm%2BRDxfL1YgdTpwtM7sWqeh016a8XI4weX0dpgycQ%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008ad3c30cd30-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=26840&min_rtt=25992&rtt_var=6965&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=601&delivery_rate=138375&cwnd=253&unsent_bytes=0&cid=3a39adf7c620278d&ts=199&x=0"
      • flag-us
        DNS
        mixedrecipew.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        mixedrecipew.biz
        IN A
        Response
        mixedrecipew.biz
        IN A
        104.21.11.243
        mixedrecipew.biz
        IN A
        172.67.193.31
      • flag-us
        POST
        https://mixedrecipew.biz/api
        yFQFu2M.exe
        Remote address:
        104.21.11.243:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: mixedrecipew.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:05 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=to4f4oapmhgrakis6i5d3tonbu; expires=Sun, 18 May 2025 07:40:44 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8pkYxt%2FHRyrgqD90fsjh%2Bybn3oOWu%2F%2FmPRbtL8y0qmVSBJLqERM8uiY4l6JYw%2FoC4wp9MygYTVbiT%2BuQvW9iNsqJx1Ar%2BebJWVsYjmqVukjA8kI6VvYs51Isrn6imoAmydb7"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008af0ee688b5-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=28113&min_rtt=26038&rtt_var=7742&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3300&recv_bytes=605&delivery_rate=139189&cwnd=253&unsent_bytes=0&cid=e75fa3f495db140d&ts=235&x=0"
      • flag-us
        DNS
        affordtempyo.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        affordtempyo.biz
        IN A
        Response
        affordtempyo.biz
        IN A
        172.67.178.230
        affordtempyo.biz
        IN A
        104.21.17.248
      • flag-us
        POST
        https://affordtempyo.biz/api
        yFQFu2M.exe
        Remote address:
        172.67.178.230:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: affordtempyo.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:05 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=vibgl7ebbc968kffqncu50j9f9; expires=Sun, 18 May 2025 07:40:44 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K%2FmPSlzBJGQMURotfuvRdRTLmpXJAm1iLjYtqwYE7h60qV8OaIaJ0iSG8tM42zkU2aJFO3qQvxNUd40bKH%2FflZIKDRHLDwt3lMmkIAg9gJ8%2FfPicpY9KKjjJ%2Fz0uRY4UQD0C"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008b11923ef52-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=30590&min_rtt=26617&rtt_var=7831&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=605&delivery_rate=133387&cwnd=253&unsent_bytes=0&cid=4d916c9a172504f3&ts=253&x=0"
      • flag-us
        DNS
        181.185.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.185.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        178.130.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        178.130.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        243.11.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        243.11.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        pleasedcfrown.biz
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        pleasedcfrown.biz
        IN A
        Response
        pleasedcfrown.biz
        IN A
        172.67.173.207
        pleasedcfrown.biz
        IN A
        104.21.47.225
      • flag-us
        POST
        https://pleasedcfrown.biz/api
        yFQFu2M.exe
        Remote address:
        172.67.173.207:443
        Request
        POST /api HTTP/1.1
        Connection: Keep-Alive
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Content-Length: 8
        Host: pleasedcfrown.biz
        Response
        HTTP/1.1 200 OK
        Date: Wed, 22 Jan 2025 13:54:06 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=ec7tqe4o5gj763e02me1ooq4fv; expires=Sun, 18 May 2025 07:40:45 GMT; Max-Age=9999999; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        X-XSS-Protection: 1; mode=block
        cf-cache-status: DYNAMIC
        vary: accept-encoding
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qoqyCzsDebI6DncdcXMTW1JIrzi8%2FI1Tb4zLjiIGHAFXB25%2BM5VvTFE29f02Yn2xUJqGfyBrW4YJuMfJnFmCaG3bJvvJjLzqAddPwC2Ffu7P8NyXnOJuwjo4%2B7HZ8siDdM49Vg%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 906008b32aed7691-LHR
        alt-svc: h3=":443"; ma=86400
        server-timing: cfL4;desc="?proto=TCP&rtt=29572&min_rtt=26223&rtt_var=7514&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3303&recv_bytes=607&delivery_rate=138332&cwnd=253&unsent_bytes=0&cid=43d60d6f0de88fa6&ts=241&x=0"
      • flag-us
        DNS
        steamcommunity.com
        yFQFu2M.exe
        Remote address:
        8.8.8.8:53
        Request
        steamcommunity.com
        IN A
        Response
        steamcommunity.com
        IN A
        23.192.247.89
      • flag-de
        GET
        https://steamcommunity.com/profiles/76561199724331900
        yFQFu2M.exe
        Remote address:
        23.192.247.89:443
        Request
        GET /profiles/76561199724331900 HTTP/1.1
        Connection: Keep-Alive
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
        Host: steamcommunity.com
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Content-Type: text/html; charset=UTF-8
        X-Frame-Options: SAMEORIGIN
        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;
        Expires: Mon, 26 Jul 1997 05:00:00 GMT
        Cache-Control: no-cache
        Date: Wed, 22 Jan 2025 13:54:06 GMT
        Content-Length: 25972
        Connection: keep-alive
        Set-Cookie: sessionid=93a9accc6c50323275b40369; Path=/; Secure; SameSite=None
        Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
      • flag-us
        DNS
        230.178.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        230.178.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        207.173.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        207.173.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        89.247.192.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        89.247.192.23.in-addr.arpa
        IN PTR
        Response
        89.247.192.23.in-addr.arpa
        IN PTR
        a23-192-247-89deploystaticakamaitechnologiescom
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        53.210.109.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        53.210.109.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        11.164.16.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        11.164.16.2.in-addr.arpa
        IN PTR
        Response
        11.164.16.2.in-addr.arpa
        IN PTR
        a2-16-164-11deploystaticakamaitechnologiescom
      • flag-us
        DNS
        180.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        180.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        182.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        182.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 104.21.80.1:443
        https://supplyedtwoz.click/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://supplyedtwoz.click/api

        HTTP Response

        200
      • 104.21.80.1:443
        https://impolitewearr.biz/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://impolitewearr.biz/api

        HTTP Response

        200
      • 172.67.149.66:443
        https://toppyneedus.biz/api
        tls, http
        yFQFu2M.exe
        999 B
        4.9kB
        9
        9

        HTTP Request

        POST https://toppyneedus.biz/api

        HTTP Response

        200
      • 104.21.48.1:443
        https://lightdeerysua.biz/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://lightdeerysua.biz/api

        HTTP Response

        200
      • 172.67.185.181:443
        https://suggestyuoz.biz/api
        tls, http
        yFQFu2M.exe
        999 B
        4.9kB
        9
        9

        HTTP Request

        POST https://suggestyuoz.biz/api

        HTTP Response

        200
      • 172.67.130.178:443
        https://hoursuhouy.biz/api
        tls, http
        yFQFu2M.exe
        997 B
        4.9kB
        9
        9

        HTTP Request

        POST https://hoursuhouy.biz/api

        HTTP Response

        200
      • 104.21.11.243:443
        https://mixedrecipew.biz/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://mixedrecipew.biz/api

        HTTP Response

        200
      • 172.67.178.230:443
        https://affordtempyo.biz/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://affordtempyo.biz/api

        HTTP Response

        200
      • 172.67.173.207:443
        https://pleasedcfrown.biz/api
        tls, http
        yFQFu2M.exe
        1.0kB
        4.9kB
        9
        9

        HTTP Request

        POST https://pleasedcfrown.biz/api

        HTTP Response

        200
      • 23.192.247.89:443
        https://steamcommunity.com/profiles/76561199724331900
        tls, http
        yFQFu2M.exe
        1.3kB
        33.3kB
        17
        29

        HTTP Request

        GET https://steamcommunity.com/profiles/76561199724331900

        HTTP Response

        200
      • 8.8.8.8:53
        supplyedtwoz.click
        dns
        yFQFu2M.exe
        64 B
        176 B
        1
        1

        DNS Request

        supplyedtwoz.click

        DNS Response

        104.21.80.1
        104.21.32.1
        104.21.64.1
        104.21.48.1
        104.21.16.1
        104.21.112.1
        104.21.96.1

      • 8.8.8.8:53
        impolitewearr.biz
        dns
        yFQFu2M.exe
        63 B
        175 B
        1
        1

        DNS Request

        impolitewearr.biz

        DNS Response

        104.21.80.1
        104.21.32.1
        104.21.112.1
        104.21.16.1
        104.21.96.1
        104.21.48.1
        104.21.64.1

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        216.87.200.23.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        216.87.200.23.in-addr.arpa

      • 8.8.8.8:53
        1.80.21.104.in-addr.arpa
        dns
        70 B
        132 B
        1
        1

        DNS Request

        1.80.21.104.in-addr.arpa

      • 8.8.8.8:53
        toppyneedus.biz
        dns
        yFQFu2M.exe
        61 B
        93 B
        1
        1

        DNS Request

        toppyneedus.biz

        DNS Response

        172.67.149.66
        104.21.29.142

      • 8.8.8.8:53
        lightdeerysua.biz
        dns
        yFQFu2M.exe
        63 B
        175 B
        1
        1

        DNS Request

        lightdeerysua.biz

        DNS Response

        104.21.48.1
        104.21.96.1
        104.21.80.1
        104.21.16.1
        104.21.64.1
        104.21.112.1
        104.21.32.1

      • 8.8.8.8:53
        suggestyuoz.biz
        dns
        yFQFu2M.exe
        61 B
        93 B
        1
        1

        DNS Request

        suggestyuoz.biz

        DNS Response

        172.67.185.181
        104.21.19.91

      • 8.8.8.8:53
        66.149.67.172.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        66.149.67.172.in-addr.arpa

      • 8.8.8.8:53
        71.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        71.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        1.48.21.104.in-addr.arpa
        dns
        70 B
        132 B
        1
        1

        DNS Request

        1.48.21.104.in-addr.arpa

      • 8.8.8.8:53
        159.96.196.23.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        159.96.196.23.in-addr.arpa

      • 8.8.8.8:53
        hoursuhouy.biz
        dns
        yFQFu2M.exe
        60 B
        92 B
        1
        1

        DNS Request

        hoursuhouy.biz

        DNS Response

        172.67.130.178
        104.21.3.124

      • 8.8.8.8:53
        mixedrecipew.biz
        dns
        yFQFu2M.exe
        62 B
        94 B
        1
        1

        DNS Request

        mixedrecipew.biz

        DNS Response

        104.21.11.243
        172.67.193.31

      • 8.8.8.8:53
        affordtempyo.biz
        dns
        yFQFu2M.exe
        62 B
        94 B
        1
        1

        DNS Request

        affordtempyo.biz

        DNS Response

        172.67.178.230
        104.21.17.248

      • 8.8.8.8:53
        181.185.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        181.185.67.172.in-addr.arpa

      • 8.8.8.8:53
        178.130.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        178.130.67.172.in-addr.arpa

      • 8.8.8.8:53
        243.11.21.104.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        243.11.21.104.in-addr.arpa

      • 8.8.8.8:53
        pleasedcfrown.biz
        dns
        yFQFu2M.exe
        63 B
        95 B
        1
        1

        DNS Request

        pleasedcfrown.biz

        DNS Response

        172.67.173.207
        104.21.47.225

      • 8.8.8.8:53
        steamcommunity.com
        dns
        yFQFu2M.exe
        64 B
        80 B
        1
        1

        DNS Request

        steamcommunity.com

        DNS Response

        23.192.247.89

      • 8.8.8.8:53
        230.178.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        230.178.67.172.in-addr.arpa

      • 8.8.8.8:53
        207.173.67.172.in-addr.arpa
        dns
        73 B
        135 B
        1
        1

        DNS Request

        207.173.67.172.in-addr.arpa

      • 8.8.8.8:53
        89.247.192.23.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        89.247.192.23.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        53.210.109.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        53.210.109.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        11.164.16.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        11.164.16.2.in-addr.arpa

      • 8.8.8.8:53
        180.129.81.91.in-addr.arpa
        dns
        72 B
        147 B
        1
        1

        DNS Request

        180.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        182.129.81.91.in-addr.arpa
        dns
        72 B
        147 B
        1
        1

        DNS Request

        182.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1384-4-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

      • memory/1384-6-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

      • memory/1384-8-0x0000000000400000-0x000000000045A000-memory.dmp

        Filesize

        360KB

      • memory/4420-0-0x000000007470E000-0x000000007470F000-memory.dmp

        Filesize

        4KB

      • memory/4420-1-0x0000000000D80000-0x0000000000DE6000-memory.dmp

        Filesize

        408KB

      • memory/4420-2-0x0000000005C70000-0x0000000006214000-memory.dmp

        Filesize

        5.6MB

      • memory/4420-7-0x0000000074700000-0x0000000074EB0000-memory.dmp

        Filesize

        7.7MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.