snakekeylogger | 60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1

Analysis

max time kernel
138s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2025, 03:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
Size

745KB
MD5

4fc7e2d203505ff6d643ffb8461d1a76
SHA1

4c1330cc42f1d3e61a8f2d423bd5988efbfc2ee8
SHA256

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1
SHA512

fe1ff91bdb1716b63e12219a2d6a2ddebd9563021bf4e8140fc49666af95f0bb6cd451a3b51ded9b28aba8ee2bcd1023a12ed967732d329766a6a71076d09c3a
SSDEEP

12288:TzSggsiPUYjbVz4YAKmcbkcMTKd6dd8B7L3FeAB:TzbkVUYXm0k9Kd1X9

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
kayleigh@rossint-za.cam
Password:
Psalm@1278

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/460-12-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Downloads MZ/PE file 1 IoCs

flow	pid	Process
13	1684	Process not Found

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org
17	reallyfreegeoip.org
18	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2420	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
460	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
460	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90
PID 3532 wrote to memory of 460	3532	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

C:\Users\Admin\AppData\Local\Temp\60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
"C:\Users\Admin\AppData\Local\Temp\60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe
  "C:\Users\Admin\AppData\Local\Temp\60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:460

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjE3MDQ4MjAtN0YwQy00RDk5LTg4MzYtRTM1ODE1MTcxQjkzfSIgdXNlcmlkPSJ7NTZBREFCODktNTAyMC00RUYxLUJENzAtM0YyNDUxQzMzMDNGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkFGMTZGMEQtMENCNS00REI5LTk1MEYtQzlERDhENjhFMDU3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODAyOTg2MDYwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2420

Network

DNS

msedge.api.cdp.microsoft.com

Remote address:

8.8.8.8:53

Request

msedge.api.cdp.microsoft.com

IN A

Response

msedge.api.cdp.microsoft.com

IN CNAME

api.cdp.microsoft.com

api.cdp.microsoft.com

IN CNAME

glb.api.prod.dcat.dsp.trafficmanager.net

glb.api.prod.dcat.dsp.trafficmanager.net

IN A

4.245.161.190
DNS

msedge.api.cdp.microsoft.com

Remote address:

8.8.8.8:53

Request

msedge.api.cdp.microsoft.com

IN A
POST

https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates

Remote address:

4.245.161.190:443

Request

POST /api/v2/contents/Browser/namespaces/Default/names?action=batchupdates HTTP/2.0
host: msedge.api.cdp.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: application/json
user-agent: Microsoft Edge Update/1.3.195.43;winhttp
x-old-uid: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
ms-correlationid: {21704820-7F0C-4D99-8836-E35815171B93}
ms-requestid: {5E0DE6A1-405C-4AB5-BD79-D8637A793C89}
ms-cv: IEhwIQx/mU2INuNYFRcbkw.0
x-last-hr: 0x0
x-last-http-status-code: 0
x-retry-count: 0
x-http-attempts: 1
content-length: 2540

Response

HTTP/2.0 200

content-type: text/plain; charset=utf-8
content-type: application/json; charset=utf-8
date: Sun, 09 Feb 2025 14:25:04 GMT
content-length: 298
ms-correlationid: 21704820-7f0c-4d99-8836-e35815171b93
ms-requestid: 5e0de6a1-405c-4ab5-bd79-d8637a793c89
ms-cv: {21704820-7F0C-4D99-8836-E35815171B93}.0
POST

https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedge-stable-win-x64/versions/132.0.2957.140/files?action=GenerateDownloadInfo&foregroundPriority=false

Remote address:

4.245.161.190:443

Request

POST /api/v1.1/internal/contents/Browser/namespaces/Default/names/msedge-stable-win-x64/versions/132.0.2957.140/files?action=GenerateDownloadInfo&foregroundPriority=false HTTP/2.0
host: msedge.api.cdp.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: application/json
user-agent: Microsoft Edge Update/1.3.195.43;winhttp
x-old-uid: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
ms-correlationid: {21704820-7F0C-4D99-8836-E35815171B93}
ms-requestid: {1534F228-AE3F-4D3F-B8DB-3A9A2E3BB22A}
ms-cv: IEhwIQx/mU2INuNYFRcbkw.1
x-last-hr: 0x0
x-last-http-status-code: 0
x-retry-count: 0
x-http-attempts: 1
content-length: 2

Response

HTTP/2.0 200

content-type: text/plain; charset=utf-8
content-type: application/json; charset=utf-8
date: Sun, 09 Feb 2025 14:25:04 GMT
content-length: 5345
ms-correlationid: 21704820-7f0c-4d99-8836-e35815171b93
ms-requestid: 1534f228-ae3f-4d3f-b8db-3a9a2e3bb22a
ms-cv: {21704820-7F0C-4D99-8836-E35815171B93}.0
DNS

checkip.dyndns.org

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

193.122.6.168

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

132.226.8.169
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:17 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: fb9d4d8656d0e516f51cd5635d45a3df
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:17 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: c43e3d1614fd344c52a2ae4171c0d374
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:18 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: dda046436b10f4f73d8d92cb545711c7
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:21 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 3ac1c139a0df9e03d0548d62b0408b87
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:22 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 811aebccb8a033bf0b021330bbe38435
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:23 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: a3013267270a3a82accb10d9cfabcbae
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:24 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: d1a58f0b82caf9bdb519d0f7e9e5ee6a
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:25 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 76493d155620cdb3f1fed9066d1826d7
GET

http://checkip.dyndns.org/

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

158.101.44.242:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:25 GMT
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 760dd1f540afdc5edb9b527aa18775d2
DNS

msedge.b.tlu.dl.delivery.mp.microsoft.com

Remote address:

8.8.8.8:53

Request

msedge.b.tlu.dl.delivery.mp.microsoft.com

IN A

Response

msedge.b.tlu.dl.delivery.mp.microsoft.com

IN CNAME

star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com

star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com

IN CNAME

cdp-f-tlu-net.trafficmanager.net

cdp-f-tlu-net.trafficmanager.net

IN CNAME

fg.microsoft.map.fastly.net

fg.microsoft.map.fastly.net

IN A

199.232.214.172

fg.microsoft.map.fastly.net

IN A

199.232.210.172
HEAD

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

Remote address:

199.232.214.172:80

Request

HEAD /filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8
X-Old-UID: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
X-Last-HR: 0x80070422
X-Last-HTTP-Status-Code: 500
X-Retry-Count: 0
X-HTTP-Attempts: 2
Host: msedge.b.tlu.dl.delivery.mp.microsoft.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 177180216
Cache-Control: public, max-age=17280000
Content-Type: application/octet-stream
MS-CorrelationId: 6f60f8cc-e39b-44d3-b4d4-339059ed8366
MS-RequestId: c8e2eff3-3eeb-4f9c-9dc9-9aaf7fc8a933
MS-CV: y9dBBsu9vkmE74iU.0
Last-Modified: Thu, 30 Jan 2025 22:24:43 GMT
ETag: "Zn30nCFs7P9yX7o9FILxqytRM2k="
Accept-Ranges: bytes
Date: Sun, 09 Feb 2025 14:25:09 GMT
Via: 1.1 varnish
Age: 366709
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 14071
X-Timer: S1739111110.627051,VS0,VE0
X-CID: 3
X-CCC: GB
GET

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

Remote address:

199.232.214.172:80

Request

GET /filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 30 Jan 2025 22:24:43 GMT
Range: bytes=0-1119
User-Agent: Microsoft BITS/7.8
X-Old-UID: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
X-Last-HR: 0x80070422
X-Last-HTTP-Status-Code: 500
X-Retry-Count: 0
X-HTTP-Attempts: 2
Host: msedge.b.tlu.dl.delivery.mp.microsoft.com

Response

HTTP/1.1 206 Partial Content

Connection: keep-alive
Content-Length: 1120
Cache-Control: public, max-age=17280000
Content-Type: application/octet-stream
MS-CorrelationId: 6f60f8cc-e39b-44d3-b4d4-339059ed8366
MS-RequestId: c8e2eff3-3eeb-4f9c-9dc9-9aaf7fc8a933
MS-CV: y9dBBsu9vkmE74iU.0
Last-Modified: Thu, 30 Jan 2025 22:24:43 GMT
ETag: "Zn30nCFs7P9yX7o9FILxqytRM2k="
Accept-Ranges: bytes
Date: Sun, 09 Feb 2025 14:25:09 GMT
Via: 1.1 varnish
Age: 366710
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 14072
X-Timer: S1739111110.678168,VS0,VE0
X-CID: 3
X-CCC: GB
Content-Range: bytes 0-1119/177180216
GET

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

Remote address:

199.232.214.172:80

Request

GET /filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 30 Jan 2025 22:24:43 GMT
Range: bytes=1120-2055
User-Agent: Microsoft BITS/7.8
X-Old-UID: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
X-Last-HR: 0x80070422
X-Last-HTTP-Status-Code: 500
X-Retry-Count: 0
X-HTTP-Attempts: 2
Host: msedge.b.tlu.dl.delivery.mp.microsoft.com

Response

HTTP/1.1 206 Partial Content

Connection: keep-alive
Content-Length: 936
Cache-Control: public, max-age=17280000
Content-Type: application/octet-stream
MS-CorrelationId: 6f60f8cc-e39b-44d3-b4d4-339059ed8366
MS-RequestId: c8e2eff3-3eeb-4f9c-9dc9-9aaf7fc8a933
MS-CV: y9dBBsu9vkmE74iU.0
Last-Modified: Thu, 30 Jan 2025 22:24:43 GMT
ETag: "Zn30nCFs7P9yX7o9FILxqytRM2k="
Accept-Ranges: bytes
Date: Sun, 09 Feb 2025 14:25:14 GMT
Via: 1.1 varnish
Age: 366714
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 14075
X-Timer: S1739111115.523795,VS0,VE0
X-CID: 3
X-CCC: GB
Content-Range: bytes 1120-2055/177180216
GET

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

Remote address:

199.232.214.172:80

Request

GET /filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 30 Jan 2025 22:24:43 GMT
Range: bytes=2056-3046
User-Agent: Microsoft BITS/7.8
X-Old-UID: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
X-Last-HR: 0x80070422
X-Last-HTTP-Status-Code: 500
X-Retry-Count: 0
X-HTTP-Attempts: 2
Host: msedge.b.tlu.dl.delivery.mp.microsoft.com

Response

HTTP/1.1 206 Partial Content

Connection: keep-alive
Content-Length: 991
Cache-Control: public, max-age=17280000
Content-Type: application/octet-stream
MS-CorrelationId: 6f60f8cc-e39b-44d3-b4d4-339059ed8366
MS-RequestId: c8e2eff3-3eeb-4f9c-9dc9-9aaf7fc8a933
MS-CV: y9dBBsu9vkmE74iU.0
Last-Modified: Thu, 30 Jan 2025 22:24:43 GMT
ETag: "Zn30nCFs7P9yX7o9FILxqytRM2k="
Accept-Ranges: bytes
Date: Sun, 09 Feb 2025 14:25:37 GMT
Via: 1.1 varnish
Age: 366737
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 14082
X-Timer: S1739111137.478490,VS0,VE0
X-CID: 3
X-CCC: GB
Content-Range: bytes 2056-3046/177180216
GET

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

Remote address:

199.232.214.172:80

Request

GET /filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 30 Jan 2025 22:24:43 GMT
Range: bytes=3047-3535
User-Agent: Microsoft BITS/7.8
X-Old-UID: {05853FAA-0079-4B27-83DE-8804E8CF3445}; age=-1; cnt=2
X-Last-HR: 0x80070422
X-Last-HTTP-Status-Code: 500
X-Retry-Count: 0
X-HTTP-Attempts: 2
Host: msedge.b.tlu.dl.delivery.mp.microsoft.com
DNS

reallyfreegeoip.org

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

8.8.8.8:53

Request

reallyfreegeoip.org

IN A

Response

reallyfreegeoip.org

IN A

104.21.64.1

reallyfreegeoip.org

IN A

104.21.48.1

reallyfreegeoip.org

IN A

104.21.96.1

reallyfreegeoip.org

IN A

104.21.112.1

reallyfreegeoip.org

IN A

104.21.16.1

reallyfreegeoip.org

IN A

104.21.80.1

reallyfreegeoip.org

IN A

104.21.32.1
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:18 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208975
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DT6N6onsyOLuxY0NpzZLOX70fJ5LAByFv99sop901bc2go9np%2BLeexETbtpaqpphIojY4dgdVo7CAhkWXsM46%2FpcxLL0lg2iCn2ue8oZwEHSUwvOjzRC2hkH6hx8%2BtblBOMN%2FfQy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f48727dcc6719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45965&min_rtt=32799&rtt_var=32369&sent=6&recv=6&lost=0&retrans=1&sent_bytes=3046&recv_bytes=390&delivery_rate=34639&cwnd=253&unsent_bytes=0&cid=25365a7bf0496230&ts=215&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:18 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208975
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8dTV8d6SG4RFFXGVvhI7PxyRp6CQx2yGSZr%2BPO%2B%2FsseA8kKkxzFFj34hlPp2gUzYlyUJ4tC%2F01alX0ebfZWPfk6MRjMknTWuNMrOse7PQnT0JoQImfWuLXpq1uF6hC%2Box98igMSJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f4872d8a1e719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49112&min_rtt=32799&rtt_var=30572&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4316&recv_bytes=482&delivery_rate=34639&cwnd=254&unsent_bytes=0&cid=25365a7bf0496230&ts=1112&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:21 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208978
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rSaxpszjSiAt9ndYZ%2F3aP3P38d%2B%2B%2FrGqmewL0RkMvGc8%2Fo7PNSmZ18XtppkVZAg1LeUlrU4YZ1qMFvqm7jGQ27BGvh2%2BTcsegFZz41qImlLz9%2FPAIkABSc0jgLx%2F%2FV35YIWl3lyc"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f4873f39e2719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=55275&min_rtt=32799&rtt_var=35255&sent=8&recv=10&lost=0&retrans=1&sent_bytes=5589&recv_bytes=574&delivery_rate=34639&cwnd=255&unsent_bytes=0&cid=25365a7bf0496230&ts=3941&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:23 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208980
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8S62HgC%2B4oJG7Vi0jdvdCiebPd5VxohDybzbFyLdSYszMdGbX4dDU9H8PBk2seMWWY4utr%2Fsuvm81FuZ9grcssJh8edJRWXikKhAPhIJ3Q0jE8SJzfzG%2F0Eufww3NYZnP4nPnzRQ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f487488a54719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=57712&min_rtt=32799&rtt_var=31315&sent=9&recv=12&lost=0&retrans=1&sent_bytes=6871&recv_bytes=666&delivery_rate=34639&cwnd=256&unsent_bytes=0&cid=25365a7bf0496230&ts=5425&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:23 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208980
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=72%2BmhEpaTuOOWCfJ188yEqnMW0ocL37ev5WoMILCqPabycVmkoR%2Bhfe8oYmlxv31NGBpG0wlasq83qezrH5%2B9W9FhyOYtGNG8hnwHgzUfrHJVtVHawDo7gbhsLCOSXab1MLuNku%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f4874ceeb1719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58643&min_rtt=32799&rtt_var=25347&sent=10&recv=14&lost=0&retrans=1&sent_bytes=8141&recv_bytes=758&delivery_rate=34639&cwnd=257&unsent_bytes=0&cid=25365a7bf0496230&ts=6131&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:24 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208981
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JxwvQzpqheDQUJQVl0%2F%2FR6wVXv3B60Y6iKon9flW8VlE2tKRZmP1h74zZ02YRzCDB3lP9gLiXgm4xBUaCcgP64o%2BSslrmxODn5ddQIKFR5v5OT4PF%2BTz08099Tmpq1EYq0sfj7rU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f48751cb84719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58643&min_rtt=32799&rtt_var=25347&sent=12&recv=16&lost=0&retrans=2&sent_bytes=10687&recv_bytes=850&delivery_rate=34639&cwnd=257&unsent_bytes=0&cid=25365a7bf0496230&ts=6908&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:25 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208982
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4CePFopHLLvsfdik9LfFeO6D8KEr4jyp1wrHDN1KsjQI6QwSixfUGVWdYzhbvzGT1gtP8SQlhrHGUcRQQ%2B3eH3mQEFlwY5mUR4fsLvu08TzCO9dtdsb91C4CTRFdWVItslaWJqiA"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f48753cd42719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=59715&min_rtt=32799&rtt_var=21154&sent=13&recv=18&lost=0&retrans=2&sent_bytes=11961&recv_bytes=942&delivery_rate=34639&cwnd=257&unsent_bytes=0&cid=25365a7bf0496230&ts=7230&x=0"
GET

https://reallyfreegeoip.org/xml/212.102.63.147

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

Remote address:

104.21.64.1:443

Request

GET /xml/212.102.63.147 HTTP/1.1
Host: reallyfreegeoip.org

Response

HTTP/1.1 200 OK

Date: Sun, 09 Feb 2025 14:25:25 GMT
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 208982
Last-Modified: Fri, 07 Feb 2025 04:22:23 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fcgZnkBDO8UhMtIY4paBjrhxvRj1bPqmfhxKVsdQ57XkSIUnUaIF79W%2BvuTkrHnZSHm0Om83fhTcS4i%2BJuMUfFTces%2BK3J%2FYUAF755WUjXXnap%2BD%2BRIwmX5%2FR%2BqfvMfj8mwdUO86"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90f487551e73719e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=77091&min_rtt=32799&rtt_var=50618&sent=14&recv=19&lost=0&retrans=2&sent_bytes=13229&recv_bytes=1034&delivery_rate=34639&cwnd=257&unsent_bytes=0&cid=25365a7bf0496230&ts=7441&x=0"

4.245.161.190:443

https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedge-stable-win-x64/versions/132.0.2957.140/files?action=GenerateDownloadInfo&foregroundPriority=false

tls, http2

9.3kB
11.3kB
28
23

HTTP Request

POST https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates

HTTP Response

200

HTTP Request

POST https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedge-stable-win-x64/versions/132.0.2957.140/files?action=GenerateDownloadInfo&foregroundPriority=false

HTTP Response

200
158.101.44.242:80

http://checkip.dyndns.org/

http

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

2.7kB
4.3kB
27
25

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
199.232.214.172:80

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

http

8.7kB
8.8kB
27
16

HTTP Request

HEAD http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

HTTP Response

200

HTTP Request

GET http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

HTTP Response

206

HTTP Request

GET http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

HTTP Response

206

HTTP Request

GET http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d

HTTP Response

206

HTTP Request

GET http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0740036a-4e18-456d-96fa-d1d9c4ca4676?P1=1739715905&P2=404&P3=2&P4=P0fV9%2fjVN16lDZIVN%2bmFgY6VnuHSqDmS4vPQ9HRaHoCIStenp%2fder7JkyUDJr5mpDRYlWnEbp6YskmXBihfLmQ%3d%3d
104.21.64.1:443

https://reallyfreegeoip.org/xml/212.102.63.147

tls, http

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

2.6kB
16.5kB
30
19

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

HTTP Request

GET https://reallyfreegeoip.org/xml/212.102.63.147

HTTP Response

200

8.8.8.8:53

msedge.api.cdp.microsoft.com

dns

148 B
158 B
2
1

DNS Request

msedge.api.cdp.microsoft.com

DNS Request

msedge.api.cdp.microsoft.com

DNS Response

4.245.161.190
8.8.8.8:53

checkip.dyndns.org

dns

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

158.101.44.242

193.122.6.168

132.226.247.73

193.122.130.0

132.226.8.169
8.8.8.8:53

msedge.b.tlu.dl.delivery.mp.microsoft.com

dns

87 B
266 B
1
1

DNS Request

msedge.b.tlu.dl.delivery.mp.microsoft.com

DNS Response

199.232.214.172

199.232.210.172
8.8.8.8:53

reallyfreegeoip.org

dns

60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe

65 B
177 B
1
1

DNS Request

reallyfreegeoip.org

DNS Response

104.21.64.1

104.21.48.1

104.21.96.1

104.21.112.1

104.21.16.1

104.21.80.1

104.21.32.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\60bfb47f60c7f0a6aa8185734c85849995f497117e38ba2c2e9fdeb1330b0cf1.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/460-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/460-20-0x0000000006C20000-0x0000000006DE2000-memory.dmp

Filesize
1.8MB

Download
memory/460-19-0x0000000006A00000-0x0000000006A50000-memory.dmp

Filesize
320KB

Download
memory/460-18-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/460-17-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/460-15-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-4-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-9-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

Filesize
4KB

Download
memory/3532-10-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-11-0x00000000053D0000-0x000000000543C000-memory.dmp

Filesize
432KB

Download
memory/3532-7-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/3532-6-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/3532-5-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

Filesize
40KB

Download
memory/3532-16-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-0-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

Filesize
4KB

Download
memory/3532-3-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3532-2-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/3532-1-0x0000000000F70000-0x0000000001030000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.