smokeloader | f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
Size

306KB
MD5

b5b80bf0a6acdd2094a9b4080afafdbc
SHA1

7e99e9aef2c21316da1b02718b98c100b235efbd
SHA256

f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113
SHA512

e798ebb6f9b438cef97a0d07d7d20b49b3399c56029d15aba6c1b61cf98560e970b066fe177b31779f2c9b7da5aa670c704f780efe97777e64dceca6a4599dda
SSDEEP

3072:wlYFR0wRMagQ6rIB9IVhJC/aMsmgM91m9bMc01JhYsdXyLEIJX:yYf0SMagQWIBGK/aMHPsp0PhYssL

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

1
0xcc4f5fd4

rc4.i32

1
0x2a68f03e

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
3844	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3844	f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3156	Process not Found

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe
"C:\Users\Admin\AppData\Local\Temp\f794c1a2a0e24060d7c79bba5709897bbb1ce0eb919c5e904628ef3f649fd113.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3844

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

83.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.121.18.2.in-addr.arpa

IN PTR

Response

83.121.18.2.in-addr.arpa

IN PTR

a2-18-121-83deploystaticakamaitechnologiescom
DNS

108.211.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.211.229.192.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

potunulit.org

Remote address:

8.8.8.8:53

Request

potunulit.org

IN A

Response

potunulit.org

IN A

188.114.96.0

potunulit.org

IN A

188.114.97.0
POST

http://potunulit.org/

Remote address:

188.114.96.0:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://grvjhtysma.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 328
Host: potunulit.org

Response

HTTP/1.1 200 OK

Date: Thu, 12 Oct 2023 17:21:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oPnm9SWyklwztjwtRoespgP4JTEn8THoZbDNL0tuODQG89ORPkyY1CdaMZCFSh%2Ba%2BH18JJbpqJ1BJzPsHwvL%2FXrMIudvrpiJfa6xtoZM8Jgibo9wy3yrtiwySDp3Y16p"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81510487d9780be0-AMS
DNS

hutnilior.net

Remote address:

8.8.8.8:53

Request

hutnilior.net

IN A

Response

hutnilior.net

IN A

91.195.240.101
POST

http://hutnilior.net/

Remote address:

91.195.240.101:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://illiw.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 358
Host: hutnilior.net

Response

HTTP/1.1 405 Not Allowed

date: Thu, 12 Oct 2023 17:21:10 GMT
content-type: text/html
content-length: 154
server: NginX
DNS

bulimu55t.net

Remote address:

8.8.8.8:53

Request

bulimu55t.net

IN A

Response

bulimu55t.net

IN A

91.195.240.101
POST

http://bulimu55t.net/

Remote address:

91.195.240.101:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xmvhhufmss.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 119
Host: bulimu55t.net

Response

HTTP/1.1 405 Not Allowed

date: Thu, 12 Oct 2023 17:21:10 GMT
content-type: text/html
content-length: 154
server: NginX
DNS

soryytlic4.net

Remote address:

8.8.8.8:53

Request

soryytlic4.net

IN A

Response

soryytlic4.net

IN A

91.195.240.101
POST

http://soryytlic4.net/

Remote address:

91.195.240.101:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ceforwfl.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 304
Host: soryytlic4.net

Response

HTTP/1.1 405 Not Allowed

date: Thu, 12 Oct 2023 17:21:10 GMT
content-type: text/html
content-length: 154
server: NginX
DNS

novanosa5org.org

Remote address:

8.8.8.8:53

Request

novanosa5org.org

IN A

Response
DNS

novanosa5org.org

Remote address:

8.8.8.8:53

Request

novanosa5org.org

IN A

Response

novanosa5org.org

IN A

35.204.181.10
DNS

novanosa5org.org

Remote address:

8.8.8.8:53

Request

novanosa5org.org

IN A

Response
DNS

novanosa5org.org

Remote address:

8.8.8.8:53

Request

novanosa5org.org

IN A

Response
DNS

0.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.96.114.188.in-addr.arpa

IN PTR

Response
DNS

101.240.195.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.240.195.91.in-addr.arpa

IN PTR

Response
DNS

nuljjjnuli.org

Remote address:

8.8.8.8:53

Request

nuljjjnuli.org

IN A

Response
DNS

tolilolihul.net

Remote address:

8.8.8.8:53

Request

tolilolihul.net

IN A

Response

tolilolihul.net

IN A

34.174.78.212
DNS

tolilolihul.net

Remote address:

8.8.8.8:53

Request

tolilolihul.net

IN A

Response

tolilolihul.net

IN A

34.174.78.212
DNS

tolilolihul.net

Remote address:

8.8.8.8:53

Request

tolilolihul.net

IN A

Response
POST

http://tolilolihul.net/

Remote address:

34.174.78.212:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://elmgtbbi.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 284
Host: tolilolihul.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 12 Oct 2023 17:21:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=5f09f14d91f46491dcc044c148399172|154.61.71.51|1697131278|1697131278|0|1|0; path=/; domain=.tolilolihul.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.51; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

somatoka51hub.net

Remote address:

8.8.8.8:53

Request

somatoka51hub.net

IN A

Response

somatoka51hub.net

IN A

34.91.32.224
DNS

somatoka51hub.net

Remote address:

8.8.8.8:53

Request

somatoka51hub.net

IN A

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
POST

http://somatoka51hub.net/

Remote address:

34.91.32.224:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ybhfpip.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 337
Host: somatoka51hub.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 12 Oct 2023 17:21:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=bce9f04a730c5b0fa6dda9e9c31ad603|154.61.71.51|1697131280|1697131280|0|1|0; path=/; domain=.somatoka51hub.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.51; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

hujukui3.net

Remote address:

8.8.8.8:53

Request

hujukui3.net

IN A

Response

hujukui3.net

IN A

34.126.189.157
DNS

hujukui3.net

Remote address:

8.8.8.8:53

Request

hujukui3.net

IN A

Response

hujukui3.net

IN A

34.126.189.157
DNS

hujukui3.net

Remote address:

8.8.8.8:53

Request

hujukui3.net

IN A

Response
DNS

212.78.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.78.174.34.in-addr.arpa

IN PTR

Response

212.78.174.34.in-addr.arpa

IN PTR

2127817434bcgoogleusercontentcom
DNS

254.111.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.111.26.67.in-addr.arpa

IN PTR

Response
DNS

224.32.91.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.32.91.34.in-addr.arpa

IN PTR

Response

224.32.91.34.in-addr.arpa

IN PTR

224329134bcgoogleusercontentcom
POST

http://hujukui3.net/

Remote address:

34.126.189.157:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lbrekge.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 336
Host: hujukui3.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 12 Oct 2023 17:21:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=255dc23f3772f9eac6739a04cd9fce76|154.61.71.51|1697131283|1697131283|0|1|0; path=/; domain=.hujukui3.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.51; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

bukubuka1.net

Remote address:

8.8.8.8:53

Request

bukubuka1.net

IN A

Response

bukubuka1.net

IN A

34.29.71.138
DNS

bukubuka1.net

Remote address:

8.8.8.8:53

Request

bukubuka1.net

IN A

Response
DNS

bukubuka1.net

Remote address:

8.8.8.8:53

Request

bukubuka1.net

IN A

Response
DNS

157.189.126.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.189.126.34.in-addr.arpa

IN PTR

Response

157.189.126.34.in-addr.arpa

IN PTR

15718912634bcgoogleusercontentcom
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
POST

http://bukubuka1.net/

Remote address:

34.29.71.138:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yroswvrmas.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 112
Host: bukubuka1.net

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 12 Oct 2023 17:21:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=dbea4e086c216f681d448ab289864e8c|154.61.71.51|1697131285|1697131285|0|1|0; path=/; domain=.bukubuka1.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.51; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

golilopaster.org

Remote address:

8.8.8.8:53

Request

golilopaster.org

IN A

Response
DNS

golilopaster.org

Remote address:

8.8.8.8:53

Request

golilopaster.org

IN A

Response

golilopaster.org

IN A

34.174.78.212
DNS

golilopaster.org

Remote address:

8.8.8.8:53

Request

golilopaster.org

IN A

Response

golilopaster.org

IN A

34.174.78.212
DNS

golilopaster.org

Remote address:

8.8.8.8:53

Request

golilopaster.org

IN A

Response

golilopaster.org

IN A

34.174.78.212
DNS

138.71.29.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.71.29.34.in-addr.arpa

IN PTR

Response

138.71.29.34.in-addr.arpa

IN PTR

138712934bcgoogleusercontentcom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 541005
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22426739E8D8406DBE2C3F2E520C2D45 Ref B: AMS04EDGE3606 Ref C: 2023-10-12T17:21:26Z
date: Thu, 12 Oct 2023 17:21:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 300661
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB7383CE0B6648358052A7729477CF32 Ref B: AMS04EDGE3606 Ref C: 2023-10-12T17:21:26Z
date: Thu, 12 Oct 2023 17:21:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 263962
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4DD8F4637A164F9F841C8026F67EC437 Ref B: AMS04EDGE3606 Ref C: 2023-10-12T17:21:26Z
date: Thu, 12 Oct 2023 17:21:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 477094
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7D85CAF1706A4EBBB6C1BF9A94AA13FF Ref B: AMS04EDGE3606 Ref C: 2023-10-12T17:21:26Z
date: Thu, 12 Oct 2023 17:21:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 306539
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 06B147DF59554D8F84CF93628024837B Ref B: AMS04EDGE3606 Ref C: 2023-10-12T17:21:26Z
date: Thu, 12 Oct 2023 17:21:25 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

newzelannd66.org

Remote address:

8.8.8.8:53

Request

newzelannd66.org

IN A

Response

newzelannd66.org

IN A

34.91.32.224
POST

http://newzelannd66.org/

Remote address:

34.91.32.224:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eclicgnb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 114
Host: newzelannd66.org

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 12 Oct 2023 17:21:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e8f867cd01bc2f7576196a883e2dcc8e|154.61.71.51|1697131291|1697131291|0|1|0; path=/; domain=.newzelannd66.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.51; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

otriluyttn.org

Remote address:

8.8.8.8:53

Request

otriluyttn.org

IN A

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

2.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.173.189.20.in-addr.arpa

IN PTR

Response

188.114.96.0:80

http://potunulit.org/

http

1.0kB
5.3kB
9
9

HTTP Request

POST http://potunulit.org/

HTTP Response

200
91.195.240.101:80

http://hutnilior.net/

http

937 B
528 B
7
6

HTTP Request

POST http://hutnilior.net/

HTTP Response

405
91.195.240.101:80

http://bulimu55t.net/

http

703 B
528 B
7
6

HTTP Request

POST http://bulimu55t.net/

HTTP Response

405
91.195.240.101:80

http://soryytlic4.net/

http

887 B
528 B
7
6

HTTP Request

POST http://soryytlic4.net/

HTTP Response

405
34.174.78.212:80

http://tolilolihul.net/

http

822 B
659 B
6
6

HTTP Request

POST http://tolilolihul.net/

HTTP Response

200
34.91.32.224:80

http://somatoka51hub.net/

http

876 B
661 B
6
6

HTTP Request

POST http://somatoka51hub.net/

HTTP Response

200
34.126.189.157:80

http://hujukui3.net/

http

870 B
664 B
6
6

HTTP Request

POST http://hujukui3.net/

HTTP Response

200
34.29.71.138:80

http://bukubuka1.net/

http

650 B
665 B
6
6

HTTP Request

POST http://bukubuka1.net/

HTTP Response

200
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4

tls, http2

71.4kB
2.0MB
1438
1476

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300960_1ICQ4HC4DA1BI7PLM&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301393_1DLI2GHT6T3VY9S09&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
34.91.32.224:80

http://newzelannd66.org/

http

653 B
660 B
6
6

HTTP Request

POST http://newzelannd66.org/

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

83.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.121.18.2.in-addr.arpa
8.8.8.8:53

108.211.229.192.in-addr.arpa

dns

74 B
145 B
1
1

DNS Request

108.211.229.192.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

potunulit.org

dns

59 B
91 B
1
1

DNS Request

potunulit.org

DNS Response

188.114.96.0

188.114.97.0
8.8.8.8:53

hutnilior.net

dns

59 B
75 B
1
1

DNS Request

hutnilior.net

DNS Response

91.195.240.101
8.8.8.8:53

bulimu55t.net

dns

59 B
75 B
1
1

DNS Request

bulimu55t.net

DNS Response

91.195.240.101
8.8.8.8:53

soryytlic4.net

dns

60 B
76 B
1
1

DNS Request

soryytlic4.net

DNS Response

91.195.240.101
8.8.8.8:53

novanosa5org.org

dns

248 B
264 B
4
4

DNS Request

novanosa5org.org

DNS Request

novanosa5org.org

DNS Request

novanosa5org.org

DNS Request

novanosa5org.org

DNS Response

35.204.181.10
8.8.8.8:53

0.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.96.114.188.in-addr.arpa
8.8.8.8:53

101.240.195.91.in-addr.arpa

dns

73 B
157 B
1
1

DNS Request

101.240.195.91.in-addr.arpa
8.8.8.8:53

nuljjjnuli.org

dns

60 B
142 B
1
1

DNS Request

nuljjjnuli.org
8.8.8.8:53

tolilolihul.net

dns

183 B
215 B
3
3

DNS Request

tolilolihul.net

DNS Request

tolilolihul.net

DNS Request

tolilolihul.net

DNS Response

34.174.78.212

DNS Response

34.174.78.212
8.8.8.8:53

somatoka51hub.net

dns

126 B
142 B
2
2

DNS Request

somatoka51hub.net

DNS Request

somatoka51hub.net

DNS Response

34.91.32.224
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

hujukui3.net

dns

174 B
206 B
3
3

DNS Request

hujukui3.net

DNS Request

hujukui3.net

DNS Request

hujukui3.net

DNS Response

34.126.189.157

DNS Response

34.126.189.157
8.8.8.8:53

212.78.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

212.78.174.34.in-addr.arpa
8.8.8.8:53

254.111.26.67.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.111.26.67.in-addr.arpa
8.8.8.8:53

224.32.91.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

224.32.91.34.in-addr.arpa
8.8.8.8:53

bukubuka1.net

dns

177 B
193 B
3
3

DNS Request

bukubuka1.net

DNS Request

bukubuka1.net

DNS Request

bukubuka1.net

DNS Response

34.29.71.138
8.8.8.8:53

157.189.126.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

157.189.126.34.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

golilopaster.org

dns

248 B
296 B
4
4

DNS Request

golilopaster.org

DNS Request

golilopaster.org

DNS Request

golilopaster.org

DNS Request

golilopaster.org

DNS Response

34.174.78.212

DNS Response

34.174.78.212

DNS Response

34.174.78.212
8.8.8.8:53

138.71.29.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

138.71.29.34.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

newzelannd66.org

dns

62 B
78 B
1
1

DNS Request

newzelannd66.org

DNS Response

34.91.32.224
8.8.8.8:53

otriluyttn.org

dns

60 B
142 B
1
1

DNS Request

otriluyttn.org
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

2.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-51-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download
memory/3156-55-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-13-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-14-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/3156-15-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-84-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-4-0x0000000002810000-0x0000000002826000-memory.dmp

Filesize
88KB

Download
memory/3156-17-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-18-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-49-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-21-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-23-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-24-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-25-0x0000000008570000-0x0000000008580000-memory.dmp

Filesize
64KB

Download
memory/3156-26-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-27-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-28-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3156-29-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-31-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/3156-30-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-33-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-35-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-37-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-38-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-40-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-39-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3156-42-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-43-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-44-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-45-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-41-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-46-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-47-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-48-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3156-16-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-12-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-19-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-52-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-53-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-54-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-50-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-56-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-58-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-57-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-60-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-61-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-62-0x0000000007090000-0x00000000070A0000-memory.dmp

Filesize
64KB

Download
memory/3156-63-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-64-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-65-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-67-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-69-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-71-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-72-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-68-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-73-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-74-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-76-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-75-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-78-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-81-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-82-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-80-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-79-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3156-83-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/3844-1-0x0000000002600000-0x0000000002700000-memory.dmp

Filesize
1024KB

Download
memory/3844-2-0x0000000002760000-0x0000000002769000-memory.dmp

Filesize
36KB

Download
memory/3844-3-0x0000000000400000-0x000000000259F000-memory.dmp

Filesize
33.6MB

Download
memory/3844-5-0x0000000000400000-0x000000000259F000-memory.dmp

Filesize
33.6MB

Download
memory/3844-8-0x0000000002760000-0x0000000002769000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request