Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 18:09

General

  • Target

    rQUOTATION_NOVQTRA071244__PDF.scr

  • Size

    163KB

  • MD5

    96349e5e49271d39ffcf6ec9c50ceb59

  • SHA1

    5b9953512ccbbbf7215d4141c1ded9dbdc0f70dd

  • SHA256

    5c9fc59003603b1af1ef6f29731f0c8531cef2e94103485686837d676b1f474d

  • SHA512

    6bd167d542e50e77f8d057f7ade878c0f9d1a02030090a4515a97c20ca7ecb2fbdf8f19073cde3eeea7cb3344fd2eaa96d9f0a3829bf44f3d8cebf9886f505d4

  • SSDEEP

    3072:1RzX9LAZc4Uk/172UL1gH6m+Gvq4EwOCk:1RzX9Z2daUL1gH6mPi4EwO

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    gator3220.hostgator.com
  • Port:
    587
  • Username:
    abbsend@qlststv.com
  • Password:
    G!!HFpD6EwDq*nF

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rQUOTATION_NOVQTRA071244__PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\rQUOTATION_NOVQTRA071244__PDF.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2996

Network

  • flag-us
    DNS
    filetransfer.io
    rQUOTATION_NOVQTRA071244__PDF.scr
    Remote address:
    8.8.8.8:53
    Request
    filetransfer.io
    IN A
    Response
    filetransfer.io
    IN A
    104.21.13.139
    filetransfer.io
    IN A
    172.67.200.96
  • flag-us
    GET
    http://filetransfer.io/data-package/8Koz7PwT/download
    rQUOTATION_NOVQTRA071244__PDF.scr
    Remote address:
    104.21.13.139:80
    Request
    GET /data-package/8Koz7PwT/download HTTP/1.1
    Host: filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 01 Nov 2024 18:10:05 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://filetransfer.io/data-package/8Koz7PwT/download
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zM%2BbuRd6N3SR2hE3Z4cA0mvWZdpajhrkrWxfH7poGGjkB5yYI5oE4ji2wiGQ1VWgZcg%2Fs03FUTLA81V7o973eHqxoqcdJprAhHvrSk729v%2F1x9ymuOsxiGCgVpCkKSZdEN4%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd6ecfbea79c8-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49015&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    https://filetransfer.io/data-package/8Koz7PwT/download
    rQUOTATION_NOVQTRA071244__PDF.scr
    Remote address:
    104.21.13.139:443
    Request
    GET /data-package/8Koz7PwT/download HTTP/1.1
    Host: filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Date: Fri, 01 Nov 2024 18:10:05 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: Nette Framework 3
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
    Set-Cookie: PHPSESSID=1gsvscmbtrefu1u8lum9omu6ad; expires=Fri, 15-Nov-2024 18:10:05 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Vary: X-Requested-With
    Location: https://s25.filetransfer.io/storage/download/qkVTfyFYi2xp
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6NF8%2FfwROvOeOFVKGENKHim5PLxkbVA7ooZkyO0nECm2NY8S2u4M%2Fbcd8TutUybDPWEzdLqKHMkUh8u8LdEFLH17J886LFZavlyn8Mn55bb%2FbSmCvVpOgHhwd8PgbN5%2FxVk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd6eece9079b8-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=46303&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=386&delivery_rate=79438&cwnd=252&unsent_bytes=0&cid=c625a24c8dfc8124&ts=505&x=0"
  • flag-us
    DNS
    s25.filetransfer.io
    rQUOTATION_NOVQTRA071244__PDF.scr
    Remote address:
    8.8.8.8:53
    Request
    s25.filetransfer.io
    IN A
    Response
    s25.filetransfer.io
    IN A
    172.67.200.96
    s25.filetransfer.io
    IN A
    104.21.13.139
  • flag-us
    GET
    https://s25.filetransfer.io/storage/download/qkVTfyFYi2xp
    rQUOTATION_NOVQTRA071244__PDF.scr
    Remote address:
    172.67.200.96:443
    Request
    GET /storage/download/qkVTfyFYi2xp HTTP/1.1
    Host: s25.filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:10:06 GMT
    Content-Type: application/octet-stream
    Content-Length: 950800
    Connection: keep-alive
    Last-Modified: Fri, 01 Nov 2024 05:00:48 GMT
    Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
    Set-Cookie: PHPSESSID=6e946bc20c2b980473b5627e157dbd7c; expires=Fri, 15-Nov-2024 18:10:06 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Disposition: attachment; filename="Muwifd.dat"
    Accept-Ranges: bytes
    Accept-Ranges: bytes
    ETag: "67246080-e8210"
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zEkEr8241jX2WBtDuZ45D0Ij2PK5mB5u1TRDsh7XSWrxTT7mMQ%2FgTr92PgC4uLghHaM4Qd1qGstyp%2FP0gLEW4O6REwFFpLsJYE3NlxWqzlfJDZbvNJ3akUePTJWcxjMWdlb5Sj%2Bi"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd6f2cd8fcd4f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=45911&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=390&delivery_rate=68752&cwnd=253&unsent_bytes=0&cid=a7560dff412265d4&ts=363&x=0"
  • flag-us
    DNS
    checkip.dyndns.org
    aspnet_compiler.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    132.226.8.169
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:10:59 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 47b3674bfe53dcb7a61e16ba007b43e1
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:03 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 9f23c05205f445051978f2e9355212f2
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:09 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 2d85741e4f197f4e384397724cec8e88
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:11 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: a87a06e627930ada5df200d9f233e962
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:15 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 436ac9fe06b684f9a12ed0649118bd2e
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:26 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: e717fa81f9a3509f1f151131934ee85b
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:28 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: a19972383f5c59f682fca558579cbd25
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:38 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 40fc47e45ce4ea8ce274d351184bea74
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:41 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: fd2cfd11ce2bae2be025da7e89984a9c
  • flag-us
    DNS
    reallyfreegeoip.org
    aspnet_compiler.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:06 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136735
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lRvmAmrc94Of%2FFkat%2Beaob7jaN2ix0Vd%2FFUop1kmoTGC1mDy6%2F7JvTsYRS0py5CWfyI1lZ%2B3j6BZGqCBJoCIyBT4Lc%2FVUiqCV8mx3jIPYLPIqMQe1tuMuGvjSj5zhx9akfoFi%2F4b"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd86dbd587695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49293&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=75984&cwnd=253&unsent_bytes=0&cid=e1eb6807a6f10475&ts=163&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:09 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136738
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qoeeZ6cXErAaQMTkMjF0hlYdk2ylnZpYsQAFOD%2Bxu1n00f27i7Y6Ypc6dGXVJG8fMnuo7OUHrDNK4uN8dfCKlaGIDEHLfoWcfPwtUjkcd7o%2FcAhOU%2BzqZBZt3txIT4rrJ9OlrWtQ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd87f0f667695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=49293&sent=10&recv=8&lost=0&retrans=2&sent_bytes=6110&recv_bytes=475&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=2939&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:12 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136741
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mWu0S%2F5SjiL6HdtivoUl9t6NjiiN3DfXuI78kCjFLMz8sixDKZ7QdmTnEmUaVNJJ4akFSSMXNgiTlmH4C9dwOV8iTN7b8G%2FYfE5bCRMK86PfenTiZZuIZAdTcUoV2Qxkwpx%2FABAP"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd8922bfd7695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=74141&sent=13&recv=11&lost=0&retrans=2&sent_bytes=7752&recv_bytes=576&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=6005&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:16 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136745
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=755k5onjBYMuxtlbkfPnf%2Fdz%2FiLBhvKQY53xoy59VevyTkyJQemA53K59yLWP7lZnLlV8Fje0ut5SfczG66ciPpB3XasAUkcU2jjfQUBOo20A%2B74Q6V1Vcv6nl4%2BZcYJbSmczP%2BB"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd8aef9067695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=74141&sent=17&recv=13&lost=0&retrans=3&sent_bytes=9639&recv_bytes=677&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=10605&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:26 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136755
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6tuQxkBle%2FJqAJEqDBkv7QTK5ndkoziFmwrjfT0nG88hOoXRX1ZJPOtQS3kCUI1bHiVNkiv9pIqBA%2B4y22Gef32qWK7S5jK6KtHocdYs1F78Yvt72kqppEDBQZ9zjqyPVPq0bo3s"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd8e84cad7695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=92951&sent=20&recv=16&lost=0&retrans=3&sent_bytes=11281&recv_bytes=778&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=19781&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:28 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136757
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G7kT5bikgrDTtBUf9DfguQSaHVRrMbtHAw2gaQUWvHfeDQ%2Fc3AzW06M4jdOSXBrT6MIzPh8B80fYI8XU46xHoYsEQU0xpldP5zUGjV0g9Wuz62xRa%2Fn91erKYh7atA80rppeKo%2Bc"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd8f989a97695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=92951&sent=24&recv=18&lost=0&retrans=4&sent_bytes=13168&recv_bytes=879&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=22536&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:38 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136767
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hwfp2IEi91fxEQsCQ8fzSAHle7f3uYa%2BXpQgsx%2Bl9aCcimBLqMWa6qoEICOXCtS8z6D5g2e7dI19wubVPra2dqpKyzOhxIlWaU5rrimiyxrPIsLUPCNZWjH2noLb4iYb6Tmz8VGf"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd9365e017695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=107265&sent=27&recv=21&lost=0&retrans=4&sent_bytes=14810&recv_bytes=980&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=32268&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Fri, 01 Nov 2024 18:11:41 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: 0883020d-052c-48f2-98be-128125521d7a
    x-amzn-trace-id: Root=1-6723039b-48329be97dfdffe532c3fe8e;Parent=609f61b594364c88;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 9d213bbde01ff71af70e3a8fd7017940.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: YnmtLV-AqIWJwrr_ttmVjX3p61RUpFgomOvXdr8aWc97nD8kLBGpMA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 136770
    Last-Modified: Thu, 31 Oct 2024 04:12:11 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dRcNnLiw5McPbb4CmO2brcM9fXtK%2FE00x9jS3b16A1trj1Z8J7TIlZienEy2hNRQrg6tp2LCZsy6C4zGriV5Bir6%2BKY9qcGJfZty4Hl7NHFPS4l9jtRncQ%2FWLSld8hZmMCFYWlZi"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8dbdd9479c657695-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=128656&sent=30&recv=24&lost=0&retrans=4&sent_bytes=16452&recv_bytes=1081&delivery_rate=75984&cwnd=257&unsent_bytes=0&cid=e1eb6807a6f10475&ts=35028&x=0"
  • 104.21.13.139:80
    http://filetransfer.io/data-package/8Koz7PwT/download
    http
    rQUOTATION_NOVQTRA071244__PDF.scr
    371 B
    1.2kB
    6
    5

    HTTP Request

    GET http://filetransfer.io/data-package/8Koz7PwT/download

    HTTP Response

    301
  • 104.21.13.139:443
    https://filetransfer.io/data-package/8Koz7PwT/download
    tls, http
    rQUOTATION_NOVQTRA071244__PDF.scr
    788 B
    4.8kB
    9
    10

    HTTP Request

    GET https://filetransfer.io/data-package/8Koz7PwT/download

    HTTP Response

    302
  • 172.67.200.96:443
    https://s25.filetransfer.io/storage/download/qkVTfyFYi2xp
    tls, http
    rQUOTATION_NOVQTRA071244__PDF.scr
    42.3kB
    998.2kB
    643
    741

    HTTP Request

    GET https://s25.filetransfer.io/storage/download/qkVTfyFYi2xp

    HTTP Response

    200
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    aspnet_compiler.exe
    4.3kB
    4.8kB
    36
    15

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/138.199.29.44
    tls, http
    aspnet_compiler.exe
    2.8kB
    20.0kB
    34
    36

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200
  • 8.8.8.8:53
    filetransfer.io
    dns
    rQUOTATION_NOVQTRA071244__PDF.scr
    61 B
    93 B
    1
    1

    DNS Request

    filetransfer.io

    DNS Response

    104.21.13.139
    172.67.200.96

  • 8.8.8.8:53
    s25.filetransfer.io
    dns
    rQUOTATION_NOVQTRA071244__PDF.scr
    65 B
    97 B
    1
    1

    DNS Request

    s25.filetransfer.io

    DNS Response

    172.67.200.96
    104.21.13.139

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    aspnet_compiler.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.6.168
    132.226.247.73
    193.122.130.0
    158.101.44.242
    132.226.8.169

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    aspnet_compiler.exe
    65 B
    97 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1712-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

    Filesize

    4KB

  • memory/1712-1-0x0000000000A60000-0x0000000000A8E000-memory.dmp

    Filesize

    184KB

  • memory/1712-2-0x0000000000350000-0x0000000000356000-memory.dmp

    Filesize

    24KB

  • memory/1712-3-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-4-0x000000001AE40000-0x000000001AF2E000-memory.dmp

    Filesize

    952KB

  • memory/1712-5-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-6-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-8-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-10-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-12-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-14-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-16-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-18-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-20-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-22-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-24-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-26-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-28-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-30-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-32-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-34-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-36-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-38-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-40-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-42-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-44-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-46-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-48-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-50-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-52-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-54-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-56-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-58-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-60-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-62-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-64-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-68-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-66-0x000000001AE40000-0x000000001AF29000-memory.dmp

    Filesize

    932KB

  • memory/1712-1079-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1081-0x0000000002190000-0x00000000021DC000-memory.dmp

    Filesize

    304KB

  • memory/1712-1080-0x0000000000750000-0x00000000007B0000-memory.dmp

    Filesize

    384KB

  • memory/1712-1082-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1084-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

    Filesize

    4KB

  • memory/1712-1083-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1085-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1086-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1087-0x00000000021E0000-0x0000000002234000-memory.dmp

    Filesize

    336KB

  • memory/1712-1097-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/1712-1096-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/2996-1098-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/2996-1099-0x0000000140000000-0x0000000140024000-memory.dmp

    Filesize

    144KB

  • memory/2996-1100-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

  • memory/2996-1101-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

    Filesize

    9.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.