discordrat | hxxps://gofile[.]io/d/vg1Pjm

Analysis

max time kernel
78s
max time network
77s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/10/2024, 06:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/vg1Pjm

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzY4MTEyNTMyMjkyMDAyMg.GHJfv9.tfuMP5Xy9zJB67D_6d0UpD39_ZIr6TqJf5Y6EM
server_id
1293975894108540940

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3916	Znyth_test.exe
900	Znyth_test.exe
2520	Znyth_test.exe
1360	Znyth_test.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
68	discord.com
74	discord.com
2	discord.com
32	discord.com
34	discord.com
45	discord.com
49	discord.com
66	discord.com
75	discord.com
43	discord.com
47	discord.com
73	discord.com
76	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 955298.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1040	msedge.exe
1040	msedge.exe
1752	identity_helper.exe
1752	identity_helper.exe
3392	msedge.exe
3392	msedge.exe
4696	msedge.exe
4696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	Znyth_test.exe
Token: SeDebugPrivilege	900	Znyth_test.exe
Token: SeDebugPrivilege	2520	Znyth_test.exe
Token: SeDebugPrivilege	3592	firefox.exe
Token: SeDebugPrivilege	3592	firefox.exe
Token: SeDebugPrivilege	1360	Znyth_test.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3592	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3756	1040	msedge.exe	80
PID 1040 wrote to memory of 3756	1040	msedge.exe	80
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 1672	1040	msedge.exe	82
PID 1040 wrote to memory of 1672	1040	msedge.exe	82
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/vg1Pjm
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74643cb8,0x7ffb74643cc8,0x7ffb74643cd8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2988
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d3538e5-a294-4467-962a-425cfb1efc24} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" gpu
    3⤵
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b00cc8e-5fe5-4c50-9c67-d691cddf93de} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" socket
    3⤵
    PID:3656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 3316 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691f63d9-93e1-488f-b741-04701f703238} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 1104 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e688d56-859c-4f2a-b1d3-bedcfd3ccd08} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4552 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb7802fe-7ea9-464e-bdf4-337fdc2ed0b7} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" utility
    3⤵
    - Checks processor information in registry
    PID:1972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 4836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a05675b-158a-465d-826a-a5a340abca83} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e2319c-2bd8-40cd-a273-9d75ace5fef6} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2fe4646-63f5-467b-bed0-511b2f5499f0} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:3444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2316

C:\Users\Admin\Downloads\Znyth_test.exe
"C:\Users\Admin\Downloads\Znyth_test.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

DNS

gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

gofile.io

IN A

Response

gofile.io

IN A

45.112.123.126
DNS

gofile.io

msedge.exe

Remote address:

8.8.8.8:53

Request

gofile.io

IN A

Response

gofile.io

IN A

45.112.123.126
DNS

ctldl.windowsupdate.com

msedge.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.214.172

bg.microsoft.map.fastly.net

IN A

199.232.210.172
DNS

67.31.126.40.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

ad.a-ads.com

msedge.exe

Remote address:

8.8.8.8:53

Request

ad.a-ads.com

IN A

Response

ad.a-ads.com

IN A

78.46.32.91
DNS

91.32.46.78.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

91.32.46.78.in-addr.arpa

IN PTR

Response

91.32.46.78.in-addr.arpa

IN PTR

static91324678clientsyour-serverde
DNS

static.a-ads.com

msedge.exe

Remote address:

8.8.8.8:53

Request

static.a-ads.com

IN A

Response

static.a-ads.com

IN CNAME

ad.a-ads.com

ad.a-ads.com

IN A

148.251.233.147
DNS

147.233.251.148.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

147.233.251.148.in-addr.arpa

IN PTR

Response

147.233.251.148.in-addr.arpa

IN PTR

static147233251148clientsyour-serverde
DNS

gateway.discord.gg

msedge.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.135.234
DNS

geolocation-db.com

msedge.exe

Remote address:

8.8.8.8:53

Request

geolocation-db.com

IN A

Response

geolocation-db.com

IN A

159.89.102.253
DNS

253.102.89.159.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

253.102.89.159.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

content-signature-2.cdn.mozilla.net

msedge.exe

Remote address:

8.8.8.8:53

Request

content-signature-2.cdn.mozilla.net

IN A

Response

content-signature-2.cdn.mozilla.net

IN CNAME

content-signature-chains.prod.autograph.services.mozaws.net

content-signature-chains.prod.autograph.services.mozaws.net

IN CNAME

prod.content-signature-chains.prod.webservices.mozgcp.net

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

msedge.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

msedge.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

shavar.prod.mozaws.net

msedge.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

5.161.26.52.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

5.161.26.52.in-addr.arpa

IN PTR

Response

5.161.26.52.in-addr.arpa

IN PTR

ec2-52-26-161-5 us-west-2compute amazonawscom
DNS

234.136.159.162.in-addr.arpa

msedge.exe

Remote address:

8.8.8.8:53

Request

234.136.159.162.in-addr.arpa

IN PTR

Response
GET

https://gofile.io/d/vg1Pjm

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /d/vg1Pjm HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:01 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"27a7-190c87768fe"
content-encoding: gzip
GET

https://gofile.io/dist/css/bootstrap.min.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/bootstrap.min.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"2fbaa-190c87768da"
content-encoding: gzip
GET

https://gofile.io/dist/css/bootstrap-icons.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/bootstrap-icons.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"17579-190c87768da"
content-encoding: gzip
GET

https://gofile.io/dist/css/bootstrap-nightfall.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/bootstrap-nightfall.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"758-190c87768d6"
content-encoding: gzip
GET

https://gofile.io/dist/css/plyr.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/plyr.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"85ae-190c87768e2"
content-encoding: gzip
GET

https://gofile.io/dist/css/allcss.css

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/allcss.css HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: text/css; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"c869-190c87768da"
content-encoding: gzip
GET

https://gofile.io/dist/js/bootstrap.bundle.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/bootstrap.bundle.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"13a49-190c87768ee"
content-encoding: gzip
GET

https://gofile.io/dist/js/sha256.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/sha256.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"2339-190c87768fe"
content-encoding: gzip
GET

https://gofile.io/dist/js/qrcode.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/qrcode.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"4dda-190c87768fe"
content-encoding: gzip
GET

https://gofile.io/dist/js/dayjs.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/dayjs.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"1a0e-190c87768f6"
content-encoding: gzip
GET

https://gofile.io/dist/js/customParseFormat.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/customParseFormat.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"ea2-190c87768f6"
content-encoding: gzip
GET

https://gofile.io/dist/js/marked.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/marked.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"aca2-190c87768fa"
content-encoding: gzip
GET

https://gofile.io/dist/js/plyr.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/plyr.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"1b1b2-190c87768fa"
content-encoding: gzip
GET

https://gofile.io/dist/js/chart.umd.min.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/chart.umd.min.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"3094c-190c87768f6"
content-encoding: gzip
GET

https://gofile.io/dist/js/alljs.js

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/js/alljs.js HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: application/javascript; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 27 Sep 2024 14:26:45 GMT
etag: W/"38ca4-19233e0867a"
content-encoding: gzip
GET

https://gofile.io/dist/img/logo-small-70.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/logo-small-70.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: image/png
content-length: 2367
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"93f-190c87768ea"
GET

https://gofile.io/dist/css/fonts/bootstrap-icons.woff2?24e3eb84d0bcaf83d77f904c78ac1f47

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/css/fonts/bootstrap-icons.woff2?24e3eb84d0bcaf83d77f904c78ac1f47 HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
origin: https://gofile.io
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: font/woff2
content-length: 121296
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"1d9d0-190c87768e2"
GET

https://gofile.io/dist/img/favicon96.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/favicon96.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: image/png
content-length: 2886
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"b46-190c87768ea"
GET

https://gofile.io/dist/img/favicon32.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/favicon32.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: image/png
content-length: 903
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"387-190c87768ea"
GET

https://gofile.io/dist/img/favicon16.png

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /dist/img/favicon16.png HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:02 GMT
content-type: image/png
content-length: 503
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"1f7-190c87768ea"
GET

https://gofile.io/contents/files.html

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/files.html HTTP/2.0
host: gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=LgnScntxO4UyVMPEmFet0GmvB4wPE40Y

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:04 GMT
content-type: text/html; charset=UTF-8
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
origin-agent-cluster: ?1
x-permitted-cross-domain-policies: none
referrer-policy: origin
x-xss-protection: 0
cache-control: public, max-age=0
last-modified: Fri, 19 Jul 2024 00:49:47 GMT
etag: W/"4a1d-190c87768d6"
content-encoding: gzip
DNS

126.123.112.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.123.112.45.in-addr.arpa

IN PTR

Response
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

IN A

20.223.36.55
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

fonts.gstatic.com

Remote address:

8.8.8.8:53

Request

fonts.gstatic.com

IN A

Response

fonts.gstatic.com

IN A

142.250.180.3
DNS

3.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.180.250.142.in-addr.arpa

IN PTR

Response

3.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f31e100net
DNS

239.190.168.206.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.190.168.206.in-addr.arpa

IN PTR

Response
DNS

234.134.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.134.159.162.in-addr.arpa

IN PTR

Response
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

IN A

20.199.58.43
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

spocs.getpocket.com

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

IN A

20.199.58.43
POST

https://api.gofile.io/accounts

msedge.exe

Remote address:

45.112.123.126:443

Request

POST /accounts HTTP/2.0
host: api.gofile.io
content-length: 2
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
content-type: text/plain;charset=UTF-8
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:03 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"b2-foV0XG4O9vEY2qgLb1rvvXURE7g"
content-encoding: gzip
OPTIONS

https://api.gofile.io/accounts/88822a03-5c9a-45c7-8d74-19be2118b992

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /accounts/88822a03-5c9a-45c7-8d74-19be2118b992 HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:03 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/accounts/88822a03-5c9a-45c7-8d74-19be2118b992

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /accounts/88822a03-5c9a-45c7-8d74-19be2118b992 HTTP/2.0
host: api.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer LgnScntxO4UyVMPEmFet0GmvB4wPE40Y
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:03 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"129-JpdddqyFN1Qt7puD6Msmb2/1Fqg"
content-encoding: gzip
OPTIONS

https://api.gofile.io/contents/vg1Pjm?wt=4fd6sg89d7s6

msedge.exe

Remote address:

45.112.123.126:443

Request

OPTIONS /contents/vg1Pjm?wt=4fd6sg89d7s6 HTTP/2.0
host: api.gofile.io
accept: */*
access-control-request-method: GET
access-control-request-headers: authorization
origin: https://gofile.io
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:04 GMT
content-type: text/html; charset=utf-8
content-length: 8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
allow: GET,HEAD
etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
GET

https://api.gofile.io/contents/vg1Pjm?wt=4fd6sg89d7s6

msedge.exe

Remote address:

45.112.123.126:443

Request

GET /contents/vg1Pjm?wt=4fd6sg89d7s6 HTTP/2.0
host: api.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
dnt: 1
sec-ch-ua-mobile: ?0
authorization: Bearer LgnScntxO4UyVMPEmFet0GmvB4wPE40Y
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:04 GMT
content-type: application/json; charset=utf-8
access-control-allow-origin: https://gofile.io
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
access-control-allow-credentials: true
content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: cross-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
etag: W/"322-c/rdQiOA0c1l4GVUuGkn7O/WkWw"
content-encoding: gzip
GET

https://s.gofile.io/js/script.js

msedge.exe

Remote address:

51.75.242.210:443

Request

GET /js/script.js HTTP/2.0
host: s.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: */*
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=LgnScntxO4UyVMPEmFet0GmvB4wPE40Y

Response

HTTP/2.0 200

access-control-allow-origin: *
cache-control: public, max-age=86400, must-revalidate
content-type: application/javascript
cross-origin-resource-policy: cross-origin
date: Fri, 11 Oct 2024 06:04:04 GMT
server: Cowboy
x-content-type-options: nosniff
content-length: 1346
POST

https://s.gofile.io/api/event

msedge.exe

Remote address:

51.75.242.210:443

Request

POST /api/event HTTP/2.0
host: s.gofile.io
content-length: 74
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
content-type: text/plain
accept: */*
origin: https://gofile.io
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 202

access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers:
cache-control: max-age=0, private, must-revalidate
content-type: text/plain; charset=utf-8
date: Fri, 11 Oct 2024 06:04:04 GMT
server: Cowboy
x-request-id: F_1Qxk97Ub-wp2gk9K8E
content-length: 2
GET

https://ad.a-ads.com/2059298?size=300x250

msedge.exe

Remote address:

78.46.32.91:443

Request

GET /2059298?size=300x250 HTTP/2.0
host: ad.a-ads.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx
date: Fri, 11 Oct 2024 06:04:04 GMT
content-type: text/html;charset=utf-8
vary: Accept-Encoding
vary: Accept-Encoding
status: 200 OK
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-powered-by: Phusion Passenger(R)
x-original-referer: https://gofile.io/
x-robots-tag: noindex, nofollow, nosnippet, noarchive
content-encoding: gzip
GET

https://static.a-ads.com/a-ads-banners/523915/300x250?region=eu-central-1

msedge.exe

Remote address:

148.251.233.147:443

Request

GET /a-ads-banners/523915/300x250?region=eu-central-1 HTTP/2.0
host: static.a-ads.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://ad.a-ads.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: nginx
date: Fri, 11 Oct 2024 06:04:05 GMT
content-type: image/gif
content-length: 486594
x-amz-id-2: 1EIXYZo/ho946L1VG/PpvX1vE7eU5KmDaHsp1F0DEpOKQuvGMHudy9lyK91k9K+wVka7cjAHtEo=
x-amz-request-id: EJ9JEXDN4KV7CHVE
x-amz-replication-status: COMPLETED
last-modified: Thu, 03 Oct 2024 08:04:14 GMT
etag: "a8494a1bdebcdefa9a5dabb427fb39f6"
x-amz-server-side-encryption: AES256
cache-control: max-age=315360000
x-amz-version-id: 5Ue8zG2U.Rs0HGJwH2nZIBgaAQEK4bCl
expires: Thu, 31 Dec 2037 23:55:55 GMT
accept-ranges: bytes
GET

https://store9.gofile.io/download/web/3dac5895-9340-470f-8544-6cea854238a4/Znyth_test.exe

msedge.exe

Remote address:

206.168.190.239:443

Request

GET /download/web/3dac5895-9340-470f-8544-6cea854238a4/Znyth_test.exe HTTP/2.0
host: store9.gofile.io
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Microsoft Edge";v="90"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
referer: https://gofile.io/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: accountToken=LgnScntxO4UyVMPEmFet0GmvB4wPE40Y

Response

HTTP/2.0 200

server: nginx/1.27.1
date: Fri, 11 Oct 2024 06:04:13 GMT
content-type: application/x-ms-dos-executable
content-length: 16612445
accept-ranges: bytes
access-control-allow-headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Encoding, Content-Range
content-disposition: attachment; filename*=UTF-8''Znyth_test.exe
last-modified: Fri, 11 Oct 2024 02:25:30 GMT
GET

https://geolocation-db.com/json

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:35 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
GET

https://geolocation-db.com/json

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:45 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
GET

https://geolocation-db.com/json

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:55 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:04:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
GET

https://geolocation-db.com/json

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:05:09 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Znyth_test.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 11 Oct 2024 06:05:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *

45.112.123.126:443

gofile.io

tls

msedge.exe

989 B
4.5kB
9
8
45.112.123.126:443

https://gofile.io/contents/files.html

tls, http2

msedge.exe

12.2kB
479.3kB
209
375

HTTP Request

GET https://gofile.io/d/vg1Pjm

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/css/bootstrap.min.css

HTTP Request

GET https://gofile.io/dist/css/bootstrap-icons.css

HTTP Request

GET https://gofile.io/dist/css/bootstrap-nightfall.css

HTTP Request

GET https://gofile.io/dist/css/plyr.css

HTTP Request

GET https://gofile.io/dist/css/allcss.css

HTTP Request

GET https://gofile.io/dist/js/bootstrap.bundle.min.js

HTTP Request

GET https://gofile.io/dist/js/sha256.min.js

HTTP Request

GET https://gofile.io/dist/js/qrcode.min.js

HTTP Request

GET https://gofile.io/dist/js/dayjs.min.js

HTTP Request

GET https://gofile.io/dist/js/customParseFormat.js

HTTP Request

GET https://gofile.io/dist/js/marked.min.js

HTTP Request

GET https://gofile.io/dist/js/plyr.js

HTTP Request

GET https://gofile.io/dist/js/chart.umd.min.js

HTTP Request

GET https://gofile.io/dist/js/alljs.js

HTTP Request

GET https://gofile.io/dist/img/logo-small-70.png

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/css/fonts/bootstrap-icons.woff2?24e3eb84d0bcaf83d77f904c78ac1f47

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/favicon96.png

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/favicon32.png

HTTP Response

200

HTTP Request

GET https://gofile.io/dist/img/favicon16.png

HTTP Response

200

HTTP Request

GET https://gofile.io/contents/files.html

HTTP Response

200
45.112.123.126:443

https://api.gofile.io/contents/vg1Pjm?wt=4fd6sg89d7s6

tls, http2

msedge.exe

2.5kB
10.4kB
22
24

HTTP Request

POST https://api.gofile.io/accounts

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/accounts/88822a03-5c9a-45c7-8d74-19be2118b992

HTTP Response

200

HTTP Request

GET https://api.gofile.io/accounts/88822a03-5c9a-45c7-8d74-19be2118b992

HTTP Response

200

HTTP Request

OPTIONS https://api.gofile.io/contents/vg1Pjm?wt=4fd6sg89d7s6

HTTP Response

200

HTTP Request

GET https://api.gofile.io/contents/vg1Pjm?wt=4fd6sg89d7s6

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/js/script.js

tls, http2

msedge.exe

2.4kB
6.3kB
18
17

HTTP Request

GET https://s.gofile.io/js/script.js

HTTP Response

200
51.75.242.210:443

https://s.gofile.io/api/event

tls, http2

msedge.exe

2.5kB
5.0kB
18
16

HTTP Request

POST https://s.gofile.io/api/event

HTTP Response

202
78.46.32.91:443

https://ad.a-ads.com/2059298?size=300x250

tls, http2

msedge.exe

2.0kB
12.0kB
18
21

HTTP Request

GET https://ad.a-ads.com/2059298?size=300x250

HTTP Response

200
148.251.233.147:443

https://static.a-ads.com/a-ads-banners/523915/300x250?region=eu-central-1

tls, http2

msedge.exe

12.5kB
508.7kB
239
376

HTTP Request

GET https://static.a-ads.com/a-ads-banners/523915/300x250?region=eu-central-1

HTTP Response

200
206.168.190.239:443

store9.gofile.io

tls, http2

msedge.exe

1.0kB
4.7kB
10
10
206.168.190.239:443

https://store9.gofile.io/download/web/3dac5895-9340-470f-8544-6cea854238a4/Znyth_test.exe

tls, http2

msedge.exe

674.2kB
17.3MB
10735
12440

HTTP Request

GET https://store9.gofile.io/download/web/3dac5895-9340-470f-8544-6cea854238a4/Znyth_test.exe

HTTP Response

200
162.159.134.234:443

gateway.discord.gg

tls

Znyth_test.exe

2.3kB
33.8kB
32
41
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.1kB
5.8kB
9
11
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Znyth_test.exe

941 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.5kB
8
9
150.171.28.10:443

tse1.mm.bing.net

tls

1.6kB
7.3kB
17
15
150.171.28.10:443

tse1.mm.bing.net

tls

1.6kB
7.3kB
17
15
150.171.28.10:443

tse1.mm.bing.net

tls

1.6kB
7.3kB
17
15
150.171.28.10:443

tse1.mm.bing.net

tls

1.6kB
7.3kB
17
15
150.171.28.10:443

tse1.mm.bing.net

tls

146.6kB
4.2MB
3077
3073
162.159.134.234:443

gateway.discord.gg

tls

Znyth_test.exe

2.0kB
32.1kB
28
38
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.2kB
5.8kB
10
12
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Znyth_test.exe

941 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.5kB
8
9
162.159.134.234:443

gateway.discord.gg

tls

Znyth_test.exe

2.0kB
30.6kB
27
36
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.2kB
5.8kB
10
12
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Znyth_test.exe

941 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.6kB
9
11
127.0.0.1:50070

firefox.exe
34.149.97.1:443

firefox-api-proxy.cdn.mozilla.net

tls, http2

firefox.exe

1.4kB
4.1kB
9
8
127.0.0.1:50077

firefox.exe
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.5kB
9
10
162.159.136.234:443

gateway.discord.gg

tls

Znyth_test.exe

1.7kB
27.3kB
20
32
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.1kB
5.8kB
9
11
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Znyth_test.exe

941 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.6kB
8
10
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.3kB
3.5kB
8
10
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.4kB
3.5kB
9
11
162.159.136.232:443

discord.com

tls

Znyth_test.exe

1.3kB
3.5kB
8
11

8.8.8.8:53

gofile.io

dns

msedge.exe

1.4kB
2.5kB
19
19

DNS Request

gofile.io

DNS Response

45.112.123.126

DNS Request

gofile.io

DNS Response

45.112.123.126

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.214.172

199.232.210.172

DNS Request

67.31.126.40.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

ad.a-ads.com

DNS Response

78.46.32.91

DNS Request

91.32.46.78.in-addr.arpa

DNS Request

static.a-ads.com

DNS Response

148.251.233.147

DNS Request

147.233.251.148.in-addr.arpa

DNS Request

gateway.discord.gg

DNS Response

162.159.134.234

162.159.133.234

162.159.136.234

162.159.130.234

162.159.135.234

DNS Request

geolocation-db.com

DNS Response

159.89.102.253

DNS Request

253.102.89.159.in-addr.arpa

DNS Request

10.28.171.150.in-addr.arpa

DNS Request

content-signature-2.cdn.mozilla.net

DNS Response

34.160.144.191

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::

DNS Request

shavar.prod.mozaws.net

DNS Request

5.161.26.52.in-addr.arpa

DNS Request

234.136.159.162.in-addr.arpa
8.8.8.8:53

126.123.112.45.in-addr.arpa

dns

998 B
2.0kB
14
14

DNS Request

126.123.112.45.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.223.36.55

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

fonts.gstatic.com

DNS Response

142.250.180.3

DNS Request

3.180.250.142.in-addr.arpa

DNS Request

239.190.168.206.in-addr.arpa

DNS Request

234.134.159.162.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.199.58.43

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1

DNS Request

arc.msn.com

DNS Response

20.199.58.43
224.0.0.251:5353

510 B
8
34.149.97.1:443

firefox-api-proxy.cdn.mozilla.net

https

firefox.exe

2.1kB
13.3kB
7
14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b7fa5f5fd63bba25e10c7e4b4a218eea

SHA1
f29e2050ddd36a6603c9829114ead4c6f9438fae

SHA256
cdcfcd8b83d84d3e741c7621d49794f72ea56ef814ad1ff7fa5c63dd5edf695d

SHA512
1969ed3a70e5e7ea949a589503602b6380285338baa62d5e25c16d61dafc28a9374dca7fb3ed9305435e5b854dfe87cfc35daca3ec522277500dbfcd2ec47b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
0157b8b1360bb9e747407208e118d1b2

SHA1
24666758d5a498b9b1564bdf012b158ca7456de9

SHA256
974c755d97a136b59b287470f7ae088e264071c928cd1174b61f71f1b948b6b9

SHA512
242f36a2e2c4da0c7a7bd7bf199cb47755cf7c5c1643815d32b6912b6c86b66e85d7f997431ad4abde893981c55de2113dfe90a01fe0812b05f8f3690a466df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
caf757870291bc62386e608b5119e78c

SHA1
0d187ddd92ecf05cd4a0268de510f879e8d0bc4c

SHA256
0d2c4874eade0f9ae2245400dfe7309f6397476258562a1e19a45602b5ad7106

SHA512
1338d7e6fc3067052f9c3d6696f59e8e95db76ff3045692cb1f39c36cf1938ec034c24b2e106c402a086885546f45eb2bcccd56ded7ea6df271829ccc53773b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2aad8ce4df39e6eec559832facd060e

SHA1
d0f9f0377366ad92f3bc687de245af32953d62e2

SHA256
83b38f95676bfef5b4bad4f2a77b5eeec3bdb0142ceac2fa1bf47d0b9f00c26d

SHA512
ef53aef0a2590cb3c56023c1eab068d6ac53f97252cb9544879ead95d86a628dc6725476a6cc216c8a3dca3f8202a7b7ce8a9898f451b2bbca66235d08e00a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75d013b05867d39f9bfb4c93951ef5cd

SHA1
0b360174baea50f5d27b0aa7802665c80f65397d

SHA256
84de8cc4ececca580c19e330e7379bf680050b1c832dc640a91a93683b806d3a

SHA512
2a3936fc6cd2fa8ed08bde1d4b8cff9d85450c7f11e0d2304f6ce3acf3ba2fdc821f747aa21c787dc6cd8a32d2cbcb1868cfa3b01097e656da0f61fc5f4f831e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
65d94d8ac9f7d4acd781f633942bab0d

SHA1
fcf2a8ccf7dbfa2eb4c4fdf1fb8575abe6534b13

SHA256
da40279d4a0268c88349037ff49548b5d6cd4bc085df8ba4472138ef508eeff0

SHA512
453c3d2a86d76d665a27370892f85cd0022d8253faabf8150f5c67581b1e7bfc1673181fee262e5259f11f29e4ad2ad9952d7d9dc16c96b3074ddb00c63cbda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
642d6cd95995e1783073f42964140bce

SHA1
13c4ed3ed2ddfbb680d544b07230cdea6ba51fc6

SHA256
f456e08f6111134b7f283507e4f82555a831047c87dc659d630a0daf08b39665

SHA512
243010e6b5e703030448354579ecded079a86e17f36f2aac4f168e687b4b7a7dcaf295caaf693ee5f797062d602b7499091983ea04c752efe6e7b00d1a57f393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e7ea89cc066fcb4642014456c9235d9

SHA1
86ef42610e1cbc41a531f24a187fd7b5f7213136

SHA256
9c0f1289c32d2b731c8ab5549918f8cfca1e0f40eab42a6cf2d05e8ea1150318

SHA512
3a6e7a0a136a51a2a3d89ffe9fcc1e4723e4ac52daf742d26ca606a8b91eaeddfea33dbc35f70907275876bc0c0ee059e863845f0eb216c5390806b1c1acfed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e964e35caebe0f0f18004acab419edeb

SHA1
e1b7fb702a4b03cb6b783189cef277e48e67eb17

SHA256
f063a47005f7ac42c7ef47425b7d5a968260ae2b906c7acafdb0fe97b466b1d3

SHA512
83755a39aeeda156ca24592f1e77baf52eb108e4c59e0ce12645fe05e3be6f54a010d05563d57d07360e410e1d39fad229e76d832596c7c9b344f9db4fc1d936

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
24f3549058bc4bc9cdc7c14b7282d273

SHA1
31356e9c91c8a288a388fa705a5b815fb70c3613

SHA256
9775ad65bbc42c5296b40a44830aa8d3db72295ffe5638607793a583cafc1576

SHA512
cf31c167c1227958aaf2ba178e9fdc9fcbd07edd03236d8005331c9b0899b4971ba400206b448ae9e36d92e3fe3844426c2cfa5a76c8d6488021991f7716604f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
18ae794fc39a8f375bb0e5900f6c504d

SHA1
4dd1ab02d9624a0dc1318e772045428fd0789893

SHA256
817bf5d295f9f7717df13448beff55e2498ea81dcfd9942a0d5509415566327e

SHA512
2b0557fc1f9780e0e67b8fb948678b0fab380895033ac7adb621fdf5ba60c69039aada10f1b6ca425efc851ebb26d902035f260352d964bb12cfd6b34682a9c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\27443f66-b4e4-429d-b53a-dd81e229599f

Filesize
23KB

MD5
cb4a8197573344bbf715c54ee586f055

SHA1
41218a551d1cc43cc07614378424a9e10e143580

SHA256
a8d89bd053fa65c1dc13375e9364fe41766c8a243896051b40a61ec6b2e115a8

SHA512
e4c66c51e01a692c0ad8415e21424735cf7fc091db790e84d09706289b3e939ab204324982672bc5f1c64266ec78b122a5e475ae2cbdcbee5e58ae73895e13e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\95cd5a6a-6253-41f2-b332-3ee54ad450c3

Filesize
982B

MD5
c80ce87cb51d171c9358c43508988866

SHA1
2a1aa245887f015b2b5734d159d90ef64fa2fe22

SHA256
ced3b4bb8f24fd4c6d2232266f94a8ab7ca5d7ee8861bddef744f434dfdb890c

SHA512
1be3340af75e6cb92e860b535451e58855f74bf6152539b27ad06e912f945d0a2ece8273e86f8eabdfbe3f206e33ebfbae3b61daa795e8a2754b5a9a6404cc38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\a4739695-9083-4d79-ab9b-71f2c617cdc3

Filesize
671B

MD5
0dc4bc82b112223332d7cb4ebd236883

SHA1
b9e407965d6e7ba10e750e885e82d9b81c732cde

SHA256
9c1983aaa9361b8fb2139eff207db1d4a26a2f8e1570545de2cac0ab805be780

SHA512
9ee3b78de7fb294ee983cc5eb22356bb60906ea7757a22e85b8d8be3c731f8683a1a84ca67e8a4d87d283ddbb4d059e663524816bf900b3b499198048e8a2637

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 955298.crdownload

Filesize
15.8MB

MD5
e8de17aa7b8d041a42d3be4d9bb8b818

SHA1
27ef5d751b40d8c5e280638f3085676d08d36c8e

SHA256
d9faa13bea96aa5342700b711d3ca59d77642fe4b063446664e56d6051a70775

SHA512
2bad9ad4d974db98a0adc2bb0098b34a130ce2cb920d2c0977aaf37490ebb74f416b86018b4b1a6c2a8be7555376b76644fd77d8aadefbdffe2ce260437083b4

Download Submit
C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3916-142-0x00000215524F0000-0x0000021552A18000-memory.dmp

Filesize
5.2MB

Download
memory/3916-141-0x0000021551BF0000-0x0000021551DB2000-memory.dmp

Filesize
1.8MB

Download
memory/3916-140-0x00000215374F0000-0x0000021537508000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response