Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 10:10

General

  • Target

    Curriculum Vitae Estrella Torres.exe

  • Size

    571KB

  • MD5

    7030700ead128aab5df0db1675020937

  • SHA1

    130d55bd32b2642fb27890a62e8eabd9b3b60611

  • SHA256

    31af8e06fb179797320d0d79fce8a7c603e6156bb0b0642a41fe818b4894eb8f

  • SHA512

    24718210a0562379e597ebef1b18731918d8e4907f29bc711f203282e1b674ce602bad6e872098eac23b801b44bd5d838c3b57f4b2951d0754a9ad550a7c6a2f

  • SSDEEP

    12288:AcPZbEeX/sYw0q59eiXjS1SvAqnYwgJOAI4UUDJLqi6r59l:AcPh//m9ewe1SvArlPIkDzm5

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7719054034:AAHonYJDOpWskt5QdgdvYe662dLuhtscDqw/sendMessage?chat_id=6370711846

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe
    "C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe
      "C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe"
      2⤵
        PID:2432
      • C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe
        "C:\Users\Admin\AppData\Local\Temp\Curriculum Vitae Estrella Torres.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3516

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      14.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      checkip.dyndns.org
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      193.122.130.0
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      158.101.44.242
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:27 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 42794d044c14ec6ae7c6040370ebb768
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:27 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: a506588d56e3f36d6a428dc8a27bf535
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: da8167833d8b67320b87e8d468c4ef63
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: cb74040c37e7b4f2e8ffe73531d805c1
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 1d70c66746fe61c62ebde583661edd15
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: a7605a97f31a56513c3e88b21bb177fa
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: dd7b0a424eeaaef25f4fe733336b79f8
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 9cbb3cd725832a018b1944c4e9f0ce70
    • flag-br
      GET
      http://checkip.dyndns.org/
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      132.226.247.73:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 654688e903fe8fcf38b8120fce4a777c
    • flag-us
      DNS
      reallyfreegeoip.org
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      8.8.8.8:53
      Request
      reallyfreegeoip.org
      IN A
      Response
      reallyfreegeoip.org
      IN A
      104.21.67.152
      reallyfreegeoip.org
      IN A
      172.67.177.134
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:27 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313437
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rdlSaiWiT8zj4VBJ2MasRjgDrlfMalxVYY2GZScHazHE%2FuEWCFSbN9o29rZZbnO%2B0qpT8bxoGk4QQoxJhvV9KVYEuwq1F8IFlJ07e%2BhDMYQMojWA1BBRv%2BAuadjli%2BNMwfEuCIsR"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cb3692b94a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=26883&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3011&recv_bytes=389&delivery_rate=122664&cwnd=253&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=96&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313438
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZkVEZb9AgI981THXXD9vtRzJore7wPKeIYk3IG6jVmI%2BeL9RIRZBdZuAj6w2IAQz5sd%2BcaRaqd2DJ5wzyspBaS1sm%2B0ZsBaSbbhXTftrLcnlJ8kKbhZ1DzkL4iBxuVrhehX5ryL"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cb4fb0794a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=31783&sent=8&recv=9&lost=0&retrans=0&sent_bytes=4650&recv_bytes=480&delivery_rate=130361&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=339&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313438
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KvOVeVqtagJRkjoiUiwM1cd30Mx1fMVgzIpFDQfBBhS3J2AEmb1kPCR4uxw1VvNGKjQtcf3beRO99%2BAF1F9cTrX9CxPQUNRCTSq%2FXGD%2FAgpLLipFhm20S8i437P3JthNtPn8SyIL"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cb67d2c94a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=34819&sent=11&recv=12&lost=0&retrans=0&sent_bytes=6286&recv_bytes=571&delivery_rate=130361&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=580&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313438
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PEF6%2F7dqH6Hl4gIAhy5TGaDqtTC9och5gDoMIqpC7dVx2CDPYl6XHPP0FOFUJ0%2B1dD5nVTKOQYx0WLuPLXzaDm1DQWDgh%2BcEAzEt2FzTcFo9GYTqagf8W1xjJTXUW6cmV5AC08xe"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cb7ff1294a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=39935&sent=14&recv=15&lost=0&retrans=0&sent_bytes=7924&recv_bytes=662&delivery_rate=130361&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=825&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:28 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313438
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWrzbhJJBYnnKOHe2rQ1EMYGvqjq9u0xt0BvYcA1YkiDWBgOJdZj%2BaxpdrTjzYkrrgjDVSNoUPOn3pJAH0IMaFhDIpv5kEVK%2FvU3XshMviKJKB%2Fkb%2FYOqNWZmZ4TiC56Y%2Bm14WJA"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cb9791594a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=40512&sent=17&recv=18&lost=0&retrans=0&sent_bytes=9562&recv_bytes=753&delivery_rate=131339&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=1072&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313439
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uc6kpCvKnpssOYWmnpe46RZK9JEHXunV0xEmjmufXQbKRiUIGRFvvd5p8q31xoHzTqQxph5aDUbsjBB%2FRTOdIAa08SsuP7nEDAAq1tkPMp2mZNdki%2Fuayu1x6Qq956eFIeQfkQlN"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cbb0af894a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=41493&sent=20&recv=21&lost=0&retrans=0&sent_bytes=11205&recv_bytes=844&delivery_rate=131339&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=1327&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313439
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F81%2Fk%2F0JtvwxwktmxsfcKtZBs3Rflwtz978bNl%2Fy05uZEhCVi4RwQZ%2F%2FYUmo0EOhscvN2TUXoCL5%2BGYkarFr%2FyLSDHjqjM3AVxjNTyhascGv9a6Ko32BsX4tXA6KKsaNWHoHBNTX"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cbcad1994a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=43532&sent=23&recv=24&lost=0&retrans=0&sent_bytes=12843&recv_bytes=935&delivery_rate=131339&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=1572&x=0"
    • flag-us
      GET
      https://reallyfreegeoip.org/xml/138.199.29.44
      Curriculum Vitae Estrella Torres.exe
      Remote address:
      104.21.67.152:443
      Request
      GET /xml/138.199.29.44 HTTP/1.1
      Host: reallyfreegeoip.org
      Response
      HTTP/1.1 200 OK
      Date: Wed, 06 Nov 2024 10:11:29 GMT
      Content-Type: text/xml
      Content-Length: 355
      Connection: keep-alive
      x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
      x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
      x-cache: Miss from cloudfront
      via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
      x-amz-cf-pop: LHR50-P7
      x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
      Cache-Control: max-age=31536000
      CF-Cache-Status: HIT
      Age: 313439
      Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
      Accept-Ranges: bytes
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SwH5bSwqh4CO1%2BYjbSXXsTSjFm2Nv02pbOfTxv0RgC6rIPK%2FP%2BE7rPhCAzcyPq%2BmTGkHIAyyYVzuDGdLOGPfMrV5Eusw0pvjQ2I73UX1MP4QhYoinpv1XS1ok6lPTOdwy4n30BYT"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8de44cbe2f5394a8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=43713&sent=26&recv=27&lost=0&retrans=0&sent_bytes=14493&recv_bytes=1026&delivery_rate=131339&cwnd=256&unsent_bytes=0&cid=84cc0ab996d9fbe7&ts=1819&x=0"
    • flag-us
      DNS
      73.247.226.132.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.247.226.132.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      152.67.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      152.67.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      75.117.19.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.117.19.2.in-addr.arpa
      IN PTR
      Response
      75.117.19.2.in-addr.arpa
      IN PTR
      a2-19-117-75deploystaticakamaitechnologiescom
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 132.226.247.73:80
      http://checkip.dyndns.org/
      http
      Curriculum Vitae Estrella Torres.exe
      1.8kB
      3.4kB
      15
      13

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.21.67.152:443
      https://reallyfreegeoip.org/xml/138.199.29.44
      tls, http
      Curriculum Vitae Estrella Torres.exe
      2.4kB
      17.4kB
      31
      31

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200

      HTTP Request

      GET https://reallyfreegeoip.org/xml/138.199.29.44

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      148 B
      128 B
      2
      1

      DNS Request

      172.210.232.199.in-addr.arpa

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      14.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      14.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      Curriculum Vitae Estrella Torres.exe
      64 B
      176 B
      1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      132.226.247.73
      193.122.130.0
      193.122.6.168
      132.226.8.169
      158.101.44.242

    • 8.8.8.8:53
      reallyfreegeoip.org
      dns
      Curriculum Vitae Estrella Torres.exe
      65 B
      97 B
      1
      1

      DNS Request

      reallyfreegeoip.org

      DNS Response

      104.21.67.152
      172.67.177.134

    • 8.8.8.8:53
      73.247.226.132.in-addr.arpa
      dns
      73 B
      158 B
      1
      1

      DNS Request

      73.247.226.132.in-addr.arpa

    • 8.8.8.8:53
      152.67.21.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      152.67.21.104.in-addr.arpa

    • 8.8.8.8:53
      75.117.19.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      75.117.19.2.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2920-8-0x000000007535E000-0x000000007535F000-memory.dmp

      Filesize

      4KB

    • memory/2920-14-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/2920-0-0x000000007535E000-0x000000007535F000-memory.dmp

      Filesize

      4KB

    • memory/2920-3-0x0000000005820000-0x00000000058B2000-memory.dmp

      Filesize

      584KB

    • memory/2920-4-0x00000000059C0000-0x00000000059CA000-memory.dmp

      Filesize

      40KB

    • memory/2920-5-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/2920-6-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

      Filesize

      624KB

    • memory/2920-7-0x0000000005A80000-0x0000000005A9C000-memory.dmp

      Filesize

      112KB

    • memory/2920-2-0x0000000005CF0000-0x0000000006294000-memory.dmp

      Filesize

      5.6MB

    • memory/2920-9-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/2920-1-0x0000000000D90000-0x0000000000E24000-memory.dmp

      Filesize

      592KB

    • memory/2920-10-0x0000000003090000-0x00000000030F8000-memory.dmp

      Filesize

      416KB

    • memory/3516-13-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/3516-11-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/3516-15-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/3516-16-0x0000000006C20000-0x0000000006C70000-memory.dmp

      Filesize

      320KB

    • memory/3516-17-0x0000000006E40000-0x0000000007002000-memory.dmp

      Filesize

      1.8MB

    • memory/3516-18-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    • memory/3516-19-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.