Report - www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware

Report Overview

Submitted URL
www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
IP
63.35.51.142
ASN
#16509 AMAZON-02
Submitted
2024-05-07 08:14:24
Access
public
Website Title
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Final URL
www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Tags
urlquery detections
No alerts detected

Detections

urlquery
0
Network Intrusion Detection
0
Threat Detection Systems
2

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
js.hsadspixel.net	3795	2017-04-21	2017-07-25	2024-05-06	400 B	7.8 kB	104.17.223.152
js.driftt.com	5753	2013-10-31	2018-06-14	2024-05-06	1.5 kB	86 kB	54.230.111.73
region1.analytics.google.com	unknown	1997-09-15	2022-03-17	2024-05-05	848 B	447 B	216.239.32.36
bat.bing.com	387	1996-01-29	2014-04-08	2024-05-05	1.7 kB	19 kB	204.79.197.237
bootstrap.api.drift.com	6517	1995-04-15	2020-08-26	2024-03-25	1.2 kB	12 kB	3.94.218.138
a.quora.com	7568	2000-03-29	2017-05-08	2024-05-06	399 B	708 B	0.0.0.0
d3e54v103j8qbb.cloudfront.net	unknown	2008-04-25	2016-03-11	2024-05-06	499 B	31 kB	143.204.42.99
cdn.jsdelivr.net	439	2012-05-16	2012-09-30	2024-05-06	2.3 kB	26 kB	151.101.193.229
www.googletagmanager.com	75	2011-11-11	2013-05-22	2024-05-07	1.3 kB	306 kB	142.250.74.168
js.hsleadflows.net	4609	2017-01-23	2017-02-22	2024-05-06	437 B	91 kB	104.18.140.17
ipv6.6sc.co	unknown	2014-12-12	2022-05-05	2024-05-06	848 B	853 B	23.36.79.19
epsilon.6sense.com	14208	1998-07-17	2018-10-10	2024-05-06	1.1 kB	1.4 kB	13.248.142.121
www.huntress.com	unknown	1996-06-07	2015-05-14	2024-02-27	520 B	34 kB	52.17.119.105
b.6sc.co	6187	2014-12-12	2015-12-15	2024-05-05	45 kB	12 kB	95.101.10.131
www.google.no	25607	2001-02-26	2016-04-05	2024-05-06	595 B	578 B	142.250.74.163
tracking.g2crowd.com	9569	2012-08-20	2016-10-09	2024-05-03	521 B	2.5 kB	104.18.43.31
trk.techtarget.com	13348	1999-09-15	2019-03-03	2024-05-03	407 B	3.7 kB	104.18.36.196
tools.refokus.com	unknown	2016-10-31	2022-03-15	2024-04-23	428 B	1.3 kB	76.76.21.9
5092804-4.chat.api.drift.com	unknown	1995-04-15	2023-09-17	2024-02-28	1.7 kB	466 B	107.22.248.170
location.services.mozilla.com	6771	1994-10-18	2014-06-01	2024-05-06	379 B	529 B	44.240.56.209
www.redditstatic.com	1440	2011-11-09	2012-06-30	2024-05-06	892 B	13 kB	151.101.1.140
www.gstatic.com	unknown	2008-02-11	2016-07-26	2024-05-06	1.9 kB	260 kB	142.250.74.163
fonts.gstatic.com	unknown	2008-02-11	2014-09-09	2024-05-07	511 B	16 kB	216.58.207.227
j.6sc.co	8237	2014-12-12	2015-12-10	2024-05-06	1.7 kB	39 kB	95.101.10.131
js.hs-scripts.com	2571	2016-07-11	2016-08-09	2024-05-06	403 B	2.2 kB	104.16.140.209
huntresscdn.com	unknown	2022-05-21	2022-05-21	2024-02-28	458 B	115 kB	104.26.1.173
js.hscollectedforms.net	5697	2017-01-23	2017-03-02	2024-05-06	447 B	26 kB	104.16.109.254
js.hs-banner.com	2426	2020-03-09	2020-03-26	2024-05-06	1.5 kB	68 kB	104.18.34.229
www.google.com	7	1997-09-15	2015-05-10	2024-03-23	2.9 kB	76 kB	142.250.74.132
metrics.api.drift.com	6235	1995-04-15	2018-08-07	2024-05-03	1.8 kB	2.1 kB	3.94.218.138
hubspotonwebflow.com	unknown	2023-08-24	2023-08-24	2024-05-03	1.9 kB	123 kB	76.76.21.61
presence.api.drift.com	5901	1995-04-15	2019-04-22	2024-05-06	1.8 kB	466 B	54.85.240.191
forms.hscollectedforms.net	unknown	2017-01-23	2023-03-02	2024-05-06	516 B	1.0 kB	104.16.109.254
event.api.drift.com	7238	1995-04-15	2016-08-04	2024-05-06	1.5 kB	1.9 kB	3.94.218.138
js.zi-scripts.com	unknown	2022-08-23	2022-12-01	2024-05-06	1.6 kB	11 kB	172.64.150.44
assets.website-files.com	13552	2019-01-23	2020-11-01	2024-05-06	3.5 kB	155 kB	143.204.55.45
forms.hsforms.com	5160	2013-09-18	2018-03-07	2024-05-06	482 B	1.4 kB	104.19.175.188
google.com	1	1997-09-15	2013-10-02	2024-04-30	1.1 kB	887 B	142.250.74.142
rc-widget-frame.js.driftt.com	unknown	2013-10-31	2023-08-25	2024-03-25	32 kB	1.8 MB	143.204.55.14
cdn.neverbounce.com	118809	2014-05-19	2018-09-16	2024-04-23	421 B	50 kB	54.230.111.89
ibc-flow.techtarget.com	unknown	1999-09-15	2021-10-02	2024-04-26	1.3 kB	1.6 kB	34.111.208.231
api.neverbounce.com	63813	2014-05-19	2015-04-02	2024-03-08	999 B	720 B	44.218.103.148
assets-global.website-files.com	14027	2019-01-23	2020-11-01	2024-05-06	22 kB	7.9 MB	3.164.240.122
client-registry.mutinycdn.com	37253	2019-02-20	2019-02-28	2024-05-04	4.6 kB	106 kB	151.101.129.91
js.na.chilipiper.com	416345	2014-12-22	2021-10-08	2024-02-27	408 B	28 kB	34.111.224.162
q.quora.com	3239	2000-03-29	2017-05-08	2024-05-06	560 B	419 B	52.2.7.148
c.6sc.co	12150	2014-12-12	2017-01-30	2024-05-06	414 B	328 B	23.36.79.9

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-05-07	medium	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (104)

	URL	Size	First Seen	Last Seen
	www.googletagmanager.com/gtag/destination?id=AW-429191348&l=dataLayer&cx=c	259 kB	2024-05-07	2024-05-07
Pretty URL www.googletagmanager.com/gtag/destination?id=AW-429191348&l=dataLayer&cx=c IP 142.250.74.168 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:29 Last Seen2024-05-07 10:14:32 Times Seen2 Hash 45a091d668bb7bbb032c21efb1464cf0 3a2e54ec1e698d30e367df695e74d9efa2e74814 883de3f902f579344839e517be4d07f11f358a06d2225470d8b1934e372cc26e Loading...

	www.google.com/js/bg/tKcPQSh2okjZHiZ2jIssRExVWo45mlVHOakavsOpwK4.js	18 kB	2024-04-24	2024-05-07
Pretty URL www.google.com/js/bg/tKcPQSh2okjZHiZ2jIssRExVWo45mlVHOakavsOpwK4.js IP 142.250.74.132 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-24 19:40:38 Last Seen2024-05-07 15:06:47 Times Seen213 Hash 042afc8f6dd96d8a86aca2f6239682fa c2321f6ccc366638b53be030076f7ae3807f9d53 b4a70f412876a248d91e26768c8b2c444c555a8e399a554739a91abec3a9c0ae Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/27.3951aad8.chunk.js	68 kB	2023-03-13	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/27.3951aad8.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-13 23:12:26 Last Seen2024-05-18 13:43:59 Times Seen372 Hash 5b2b6d0508fe18c3efb6bcd6249fd4e1 90c9faf7b629842a0f3a7633bc5713d741c46578 e8e658c81a7ff92a6e0f9049ee3a8fc42082e8303abb6ed44c73361259cbdbae Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/11.639238ba.chunk.js	24 kB	2023-03-07	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/11.639238ba.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:10:31 Last Seen2024-05-19 03:09:36 Times Seen2867 Hash 4049f38c00add1738dc4806148ff8829 0a631d2ccde970a13f60e147a5b5aeacb6a1b2e0 c501de88fbb90a445f1754a529bc772e7047071bf653c8c3f0330f7bb736d140 Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	181 B	2023-03-07	2024-05-19
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 01:17:43 Last Seen2024-05-19 15:28:30 Times Seen3985 Hash 0e9e3ad57abeefde87342864450cc232 4dc8676bf3417d597053d5f253fce034007f63da 9a37601d1f5a5f2fba3b000694d4bf5e035c606d5485dd94e2997cbe2efe5c26 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/22.6b9a301a.chunk.js	33 kB	2023-06-21	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/22.6b9a301a.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-06-21 17:17:08 Last Seen2024-05-19 03:09:40 Times Seen2856 Hash d8739a9fe9a3a42936f5cd86c8727494 4fb60ec9f1c4eff985c219bf24e4b1f340d62c97 8f0f8792237470ee661c6afc32ca68200dd74bcc0d544d0fd54c7777af362eae Loading...

	js.hs-banner.com/3911692.js	63 kB	2024-05-07	2024-05-18
Pretty URL js.hs-banner.com/3911692.js IP 104.18.34.229 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:29 Last Seen2024-05-18 13:43:59 Times Seen7 Hash 381b0631a0eece43d9975eebeac4018a c23697fb40287af31e1b9a0ed1159d1031cfdd26 0a7e62074b4311ed600655962e3217c9f2c33bd454457523a1d0fe36dfbb2207 Loading...

	cdn.jsdelivr.net/npm/@snowplow/browser-plugin-button-click-tracking@latest/dist/index.umd.min.js	4.7 kB	2024-05-07	2024-05-18
Pretty URL cdn.jsdelivr.net/npm/@snowplow/browser-plugin-button-click-tracking@latest/dist/index.umd.min.js IP 151.101.193.229 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:29 Last Seen2024-05-18 13:43:57 Times Seen8 Hash 86484fef1159bbf2971dd71f048267c1 5c687fbb4a13ee14db6905dfd7a8635777cdd0e5 66110db15bc55fa902401f14c8f25083dd0f7cfde33de392631a20f77312d017 Loading...

	client-registry.mutinycdn.com/mutiny-client/2.5.3.4.js	72 kB	2024-04-17	2024-05-18
Pretty URL client-registry.mutinycdn.com/mutiny-client/2.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-17 12:05:05 Last Seen2024-05-18 13:43:58 Times Seen86 Hash 5f57bd67579ac324b2166b4130a8cc07 3e1ffee3e8f84fbacf09de556e9e461e5c0a7ff3 a452d07f0c98afcb2e862689e43aebfe63d8ed39628cd0db9d1a5bf2490f535c Loading...

	js.hscollectedforms.net/collectedforms.js	70 kB	2024-04-11	2024-05-15
Pretty URL js.hscollectedforms.net/collectedforms.js IP 104.16.109.254 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-11 09:05:46 Last Seen2024-05-15 15:48:09 Times Seen518 Hash 020909a609cf986b4a8a88cfb577a8db b433b99760f44c8a494a5c13a07aa1a9933d0179 5c76dd89a767afd512ce6c6370424f39a632ebb736c16ac37952fbfd97575448 Loading...

	unknown	363 B	2023-09-19	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen10 Hash ad64646893b12593ecba350b76999005 91dbce3edf4b1a407ad8240841d4845cffc6bae3 eadcf88955ddc3b05e047bfaa0a52e4c93e7898288695a33c9dd46b476648695 Loading...

	www.googletagmanager.com/gtag/js?id=G-GCTMBVFESS&l=dataLayer&cx=c	342 kB	2024-05-07	2024-05-07
Pretty URL www.googletagmanager.com/gtag/js?id=G-GCTMBVFESS&l=dataLayer&cx=c IP 142.250.74.168 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:32 Times Seen2 Hash 51a0cc148c57672669570f2b988e58dc c1359f77b8d687e7cd99adef75a7521387958100 241937498fc871398b3a053286dfb2b260cd628ecbf94f1eb5caeea67ad9e5c8 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/20.8c21ea18.chunk.js	76 kB	2023-03-07	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/20.8c21ea18.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:10:31 Last Seen2024-05-19 03:09:43 Times Seen2827 Hash 6d77a76055d81227033363af2f18caf8 b1b94517954f8f8889a0822886dea6f5ad7c931f 19473eebfb0672867a4438e2a015de79fded34b9f5ae5598bade57eb01cf0563 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/8.5fdda827.chunk.js	83 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/8.5fdda827.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen41 Hash f78079aaffe016efb8ec35b9fbb9f42f 4317f808cbf21ce975a0006c6590f5df07ea4d97 e523f47c65c171a685ca8f1bb0c0c432f4d71104fa56e8f6163126ec908cc430 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/14.e24a6190.chunk.js	93 kB	2023-05-12	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/14.e24a6190.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-19 03:09:43 Times Seen2810 Hash 16d7ae86e21434a32157d3226ac9bb77 6eaa4577efa2568aa7752b00aa42523bda14ca95 6c9c6406c9bd9814cf84974221433003377b67f071ec5411fddbcba4ec109bca Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	342 B	2024-01-01	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-01-01 16:33:02 Last Seen2024-05-18 13:43:54 Times Seen8 Hash da689791dc85a5c7762fbb8a4828c6f3 276d0cedc04dc6c0c96dc1b7b37d1ea3b9448463 562ba329330d09d67a069b8c52bd03097371190c74c275985d94585ef11bf8c9 Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	992 B	2024-05-07	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-18 13:43:54 Times Seen4 Hash ca7f367b396fcb8fa5ff7f65eb080a9a 7ae3e688e34c2dbf56c817bf19fcb09090889c36 e4ace02b6b9c05d11f01f133a927871e3ae0ad92b65454d0220958642adaf3f2 Loading...

	www.google.com/recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC	0 B	2023-03-07	2024-05-19
Pretty URL www.google.com/recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC IP 142.250.74.132 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 01:01:59 Last Seen2024-05-19 16:59:49 Times Seen37835067 Hash d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Loading...

	unknown	422 B	2023-09-19	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen10 Hash 423c3f935f7f867688e8b77bd0ddea44 63b63d631dc6822ae97c5b7069a511545acfc79c 134f4bba812811400c6f82d98f5fe6cf58b31302f81e9d89ce3ee4b0c7a546fa Loading...

	client-registry.mutinycdn.com/mutiny-client/10.5.3.4.js	7.4 kB	2024-04-17	2024-05-18
Pretty URL client-registry.mutinycdn.com/mutiny-client/10.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-17 12:05:05 Last Seen2024-05-18 13:43:58 Times Seen77 Hash bddf673724f89eb17c70ebd53a364b80 6afcc24c0f65a3fafedaa9f16c83b4dc6e25d54a 904b9d920e3433f48ebf530b9588f34c066d1ec02b97a6e1f42a9abbd189df7b Loading...

	www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve	69 B	2023-03-07	2024-05-19
Pretty URL www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve IP 142.250.74.132 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML true Observations First Seen2023-03-07 01:02:05 Last Seen2024-05-19 16:33:21 Times Seen102544 Hash 45ecf7458f42da80ac248ad42d610372 a5b3edf8328769bc754e6e616a957ceed4fdadd7 75867e75b209895995014b43c3d711476e3437481e5fbec91a4da674302558bf Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	543 B	2023-09-25	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2023-09-25 12:31:06 Last Seen2024-05-18 13:43:54 Times Seen60 Hash 5399dd43dd397baf13ee8b78b9204444 54cc336b1c89323150babbf532818684b584992a 7a176bbe227f9f884b54a98c3331d8e9d73075fe993717006c942e45faf60ede Loading...

	www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__en.js	518 kB	2024-04-24	2024-05-15
Pretty URL www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__en.js IP 142.250.74.163 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-24 09:18:30 Last Seen2024-05-15 19:10:18 Times Seen9003 Hash e2e79d6b927169d9e0e57e3baecc0993 1299473950b2999ba0b7f39bd5e4a60eafd1819d 231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b Loading...

	client-registry.mutinycdn.com/mutiny-client/7.5.3.4.js	9.2 kB	2024-04-17	2024-05-16
Pretty URL client-registry.mutinycdn.com/mutiny-client/7.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-17 12:05:06 Last Seen2024-05-16 20:41:14 Times Seen75 Hash 1cfc2f45f6b89c401b92e14faf2ef01a e6f789986829fcef1221683e1812ee7440971a96 b770b98513581b8a54e633d0021e3bcd3935f08d8e7b8fe6e56401891c7f73f8 Loading...

	www.google.com/recaptcha/api.js	850 B	2024-04-24	2024-05-08
Pretty URL www.google.com/recaptcha/api.js IP 142.250.74.132 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-24 09:35:35 Last Seen2024-05-08 15:55:32 Times Seen1408 Hash ee87fd4035a91d937ff13613982b4170 e897502e3a58c6be2b64da98474f0d405787f5f7 7649b605b4f35666df5cbcbb03597306d9215f53f61c2a097f085fa39af9859f Loading...

	trk.techtarget.com/tracking.js	2.9 kB	2023-03-09	2024-05-18
Pretty URL trk.techtarget.com/tracking.js IP 104.18.36.196 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-09 22:20:27 Last Seen2024-05-18 13:43:55 Times Seen821 Hash 192f5f35a1b38715e747a496882ad0ef 02240ea0229d970907903c825b1683cbd31e1b47 0c07b854855b0e2bd7839c3659defa45307e96e281b3c00571d09f213eb6a76e Loading...

	unknown	635 B	2024-02-04	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2024-02-04 10:09:01 Last Seen2024-05-18 13:43:55 Times Seen7 Hash 942a60fee7922102684687e4b48e998d 68f8e3440bc6130a594e383290ed3a42e184edde e4de49d6aad9682c1f8a34729f7784c6074e069f71f5e9a0da2d14895a93884c Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/57.28dde8ce.chunk.js	19 kB	2023-06-30	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/57.28dde8ce.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-06-30 10:47:08 Last Seen2024-05-18 13:43:59 Times Seen1959 Hash 3c4cd13822c0069a68e9f9c8240f5ba9 7028af5e8a39579afd06e0b945389608e5adc042 594d3ade307f6f48a5ef5143228b9da7c4e78589177ac70e91d31fe75ea83d60 Loading...

	client-registry.mutinycdn.com/mutiny-client/9.5.3.4.js	37 kB	2024-03-27	2024-05-18
Pretty URL client-registry.mutinycdn.com/mutiny-client/9.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-03-27 01:59:41 Last Seen2024-05-18 13:43:58 Times Seen98 Hash 0f8515955a6446b73e42aae4ae97ae31 7e0bace557616aa54bead52ed670e96026dd2fc3 3c7a5808685fa3403acaf87c5dcda0bc93aa9c78680cdade5a4c646f987d5d6f Loading...

	a.quora.com/qevents.js	42 kB	2024-03-29	2024-05-19
Pretty URL a.quora.com/qevents.js IP 0.0.0.0 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2024-03-29 14:56:27 Last Seen2024-05-19 14:01:36 Times Seen156 Hash 87b5ecaafd0e88097cbbb1bbb7695fe9 085d5b2112bb1afa26b03b94183b6eedc2f076b4 5af5ee0b37b1f0ef31c42932bbf81424e4bb53e95e87a47e058625c1af2245db Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	649 B	2024-05-07	2024-05-09
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-09 11:20:05 Times Seen3 Hash 8405fdd9099732668746bf11524c46a0 0e63327d05d128671e77478de4ca72e5c53ece77 6779328ca685139420ad950a4ea4c0420d752f5244509420fe2c248e500b194a Loading...

	client-registry.mutinycdn.com/mutiny-client/6.5.3.4.js	15 kB	2024-04-16	2024-05-16
Pretty URL client-registry.mutinycdn.com/mutiny-client/6.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-16 13:55:53 Last Seen2024-05-16 20:41:14 Times Seen84 Hash d29de80cf4363fd641e6bb8c9576f803 72ec319bdbaaeb56e58341dc0859a7f4d86b43ff 870a0d4eda0b78ce739a6557840ab097d1a7464f0c5d3638cc2b862ead8505aa Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/41.b4fc4de2.chunk.js	26 kB	2023-05-12	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/41.b4fc4de2.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-18 13:43:59 Times Seen2472 Hash a2ace4f65aa7b34dedb884f6cfe9df8d 6cd6950446b7701a27180647e2dbb74bb90509d4 edf1011ad272d21b66ae82a21a9d029186dc81c9f13972203fc3107f75835d4b Loading...

	j.6sc.co/j/8769192b-20ba-4df2-8d62-2740a805c3e8.js	1.0 kB	2024-05-07	2024-05-18
Pretty URL j.6sc.co/j/8769192b-20ba-4df2-8d62-2740a805c3e8.js IP 95.101.10.131 ASN #20940 Akamai International B.V. Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-18 13:43:57 Times Seen8 Hash 924fd1c8fe1063b3e4acf99764018260 b4c300cd2740481bb90d78d416129e1d51c7eae5 f143cdd47f943dca511fec190f6f8dc72123af1a03b0acc0b85006d3827469db Loading...

	www.googletagmanager.com/gtm.js?id=GTM-TXRTDGW4	344 kB	2024-05-07	2024-05-07
Pretty URL www.googletagmanager.com/gtm.js?id=GTM-TXRTDGW4 IP 142.250.74.168 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:32 Times Seen2 Hash 327a6b18b895968fbf2a57b251e2f2f7 2ceefa0d5e23a8999604439be35177705f4e4bae d8f066922ed924dd699b32fa3d3029b7a6e1892d6516e3866bb1dde142eb254b Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/19.6f85b843.chunk.js	17 kB	2023-05-12	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/19.6f85b843.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-19 03:09:36 Times Seen2802 Hash e28ebc3391b56e8f01ea063dc089e9d3 d0eb0eddb70199db3533f492e7f2e22be890a1fa afbd41e7209fa3aef6f53c7a5713aa542a7be54c432fec2d690e0dfaccd528d1 Loading...

	js.zi-scripts.com/zi-tag.js	9.5 kB	2024-05-02	2024-05-15
Pretty URL js.zi-scripts.com/zi-tag.js IP 172.64.150.44 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-02 15:21:04 Last Seen2024-05-15 05:38:36 Times Seen91 Hash 8c204aa84fdf9cdf3edc033589ee81ca 1822e8cb3856f0aa994c454fde8607c150983ce0 a4af0b01450048bffd9bb79f9ab3f23695ce50aca800091d3394d69096ca45d6 Loading...

	d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=6579dd0b5f9a54376d296915	90 kB	2023-03-07	2024-05-19
Pretty URL d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=6579dd0b5f9a54376d296915 IP 143.204.42.99 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:02:01 Last Seen2024-05-19 16:56:45 Times Seen145586 Hash dc5e7f18c8d36ac1d3d4753a87c98d0a c8e1c8b386dc5b7a9184c763c88d19a346eb3342 f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	739 B	2024-05-07	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-18 13:43:54 Times Seen4 Hash 0c2dca992f1193a59bc37219f8c79f48 4c7bd18550ada06862273c6fb46059b7dc4dd6ed 450b4ba61409da5a80b3e42f359f6e08b22f8ace4634cc3804bcee4b6a71c2e2 Loading...

	www.redditstatic.com/ads/pixel.js	39 kB	2024-04-24	2024-05-07
Pretty URL www.redditstatic.com/ads/pixel.js IP 151.101.1.140 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-24 19:57:30 Last Seen2024-05-07 17:29:52 Times Seen208 Hash b1de5a83f25d164f24b470c022d2a356 56b8a2b55612b3b4b8dbb4b550f1cd4e72d930dd 57bd3463acfad02c222f7beac208f69df5507f7de42fa38b18a1e1e48df2a44a Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/21.b8c41db9.chunk.js	17 kB	2023-03-07	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/21.b8c41db9.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:10:31 Last Seen2024-05-19 03:09:38 Times Seen2980 Hash 65e5c965272e021ae33ff8bc39565ef5 c5a2c0cdf9c821b6ee43a1eeb52680ffeea15557 b84595cc8461bb6e8376fe94f0dd23d6657172103b03653534089c5992b058a1 Loading...

	js.na.chilipiper.com/marketing.js	74 kB	2023-09-25	2024-05-18
Pretty URL js.na.chilipiper.com/marketing.js IP 34.111.224.162 ASN #396982 GOOGLE-CLOUD-PLATFORM Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-25 16:58:13 Last Seen2024-05-18 13:43:57 Times Seen38 Hash d9ecfe9851e1570bcf308fd56d5dee0b 55f88395bd0304dac4b9c545ab37de48617403a6 02c65a6d1cdc752f31b0be2157d9c6f65e72c7f3e781eea941bd848caf8a332e Loading...

	client-registry.mutinycdn.com/mutiny-client/4.5.3.4.js	7.6 kB	2024-04-17	2024-05-18
Pretty URL client-registry.mutinycdn.com/mutiny-client/4.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-17 12:05:05 Last Seen2024-05-18 13:43:57 Times Seen80 Hash 4862c87e0df637869c7df8395202758f 982882b772a55b79664fc4cd4c5f959a21486dca c305db8bbf0452e04ae20e49774fcec074d4cd90b456c2c968ba558a396119dc Loading...

	client-registry.mutinycdn.com/mutiny-client/1.5.3.4.js	116 kB	2024-04-30	2024-05-16
Pretty URL client-registry.mutinycdn.com/mutiny-client/1.5.3.4.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-30 16:48:29 Last Seen2024-05-16 20:41:14 Times Seen65 Hash eac830092663999c2be3f3efb0da7689 91c8dc54ded93e33a760383d788a6f52bb6846f6 6de536a2362cbe38a4f6e689f19e6727169ff98108d2a2bdaabe2a8a0fb3b358 Loading...

	j.6sc.co/6si.min.js	67 kB	2024-04-26	2024-05-08
Pretty URL j.6sc.co/6si.min.js IP 95.101.10.131 ASN #20940 Akamai International B.V. Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-26 09:42:45 Last Seen2024-05-08 16:39:12 Times Seen101 Hash bf231eb780489fffea00aef444500b14 f0d4603fa4441a3cf3773efffbda309001c579b0 95ef911fcf12dfe0a1fb5b17a3b24fa81c6b07b102b435949b06e7e124de51cb Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/29.31d09948.chunk.js	13 kB	2023-05-12	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/29.31d09948.chunk.js IP 0.0.0.0 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:41 Last Seen2024-05-19 03:09:38 Times Seen2897 Hash 455157cb49065fb85fed54901ddaeb0e 248d056b36813ae68a2179df92860e07cecd7a34 7641f066c35d0ca15d4897bfe49d640ed4c143ff8f04030c2020cbb2acfa7b0b Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	2.3 kB	2024-05-07	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-18 13:43:55 Times Seen4 Hash ac0deb3ff1fd6bd0221e7791f90952b8 148e6f1c34b7700b262eb30df95a68ba9c83879a 380d162cf9cfbe2228749c6c93b6805fd57542eca18e09bc4b88a66a0d72dc1d Loading...

	cdn.jsdelivr.net/npm/medium-zoom@1.0.3/dist/medium-zoom.min.js	9.2 kB	2024-02-04	2024-05-18
Pretty URL cdn.jsdelivr.net/npm/medium-zoom@1.0.3/dist/medium-zoom.min.js IP 151.101.193.229 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-02-04 10:09:00 Last Seen2024-05-18 13:43:57 Times Seen12 Hash 44a7121c73792eb5d3490f4f25d0ae8f e5c93d914c5df0082507ed708f56aa021fef2c3b 89aa43cb2db8717165e898b18806ad757585f8815f9f514bb0afbd3c390def95 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/34.4924e4bf.chunk.js	27 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/34.4924e4bf.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen40 Hash 2a9499a40949c70c9c00081b06639cb0 c30abc7c92ba97be5e84f4aa4b5cde054968cfce 15736c00b563c558ec1e7d531c0d8bd7d8cc24c2026adbc2dcf0ccd3e48f7d65 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/24.24e43c3b.chunk.js	51 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/24.24e43c3b.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen41 Hash 390d4b78f4c738295b7974aca941d031 9d5fc5e50d9c16cc2223acefeaba36df18aab90a eb6ce397310855bbef74043afcdda989653ad7b7b385191e8c8d622eee74b367 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/49.f7274268.chunk.js	107 kB	2023-05-12	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/49.f7274268.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-18 13:43:59 Times Seen2445 Hash e268d36b98f0119a2bb1a15f69fd4ffe 34b0337e983a1c5d46bb4ed4f7876d8aa0557235 6861a320271e0fda832800e20d53b858ef409f88d9bc9c1a48953888289d1ea3 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/51.558be3c5.chunk.js	24 kB	2023-05-12	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/51.558be3c5.chunk.js IP 0.0.0.0 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-18 13:43:59 Times Seen2571 Hash fa281fcbe4b2e35558d60fae3e316367 79223cdc8e803df8aa51004853244a314d9736ad b0af909b7ae6ad2644bfe2a60d939092aaf113b2cbc4ed2981a892869143b98a Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	899 B	2024-02-04	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-02-04 10:09:01 Last Seen2024-05-18 13:43:55 Times Seen7 Hash d925c1fc740e84e01cc957d3f18e3445 0ee6c7e9c1901f3a44c39f1edacf8d479ba48130 8c0dafe61b53a702f21cf41710b98181f6fcb98ed5b1ad4abb2ff0b3982464ec Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/main~493df0b3.91dc5a14.chunk.js	7.2 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/main~493df0b3.91dc5a14.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen24 Hash c11c9776fa434757756e10e6ded61c75 3ac45bf30b0ab52a7c03d4abb6e9cf6c68f7c000 1ce5bbfddabe83a619dffbd897ac79e94ca961f04cf463583a421a22f5329938 Loading...

	js.driftt.com/include/1715069700000/5d3cypit2iz8.js	217 kB	2023-09-19	2024-05-18
Pretty URL js.driftt.com/include/1715069700000/5d3cypit2iz8.js IP 54.230.111.73 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen36 Hash 576cdc1c0941a520c47b54aef3b463f7 ef5e25a2db24d0020d6528b56bc3b43936b7af1d 93a2fd82dd3a13a9e9ce0583f3bde1b6e88da6ebce30fa8c87cee4d9d927e4d2 Loading...

	tracking.g2crowd.com/attribution_tracking/conversions/1006267.js?p=https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware&e=	958 B	2023-11-03	2024-05-09
Pretty URL tracking.g2crowd.com/attribution_tracking/conversions/1006267.js?p=https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware&e= IP 104.18.43.31 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2023-11-03 09:13:01 Last Seen2024-05-09 11:20:04 Times Seen8 Hash 26f1f5cdfd9a16fc03b43ebc31e9b04f 982feb674ac7366f4bc47b4ee5728f85274c6a87 14c59924cdca7796d9578872e6933998297b41cb0a2951ccaf7de4bd7cf921ff Loading...

	api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_88949	62 B	2024-05-07	2024-05-07
Pretty URL api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_88949 IP 44.218.103.148 ASN #14618 AMAZON-AES Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:30 Times Seen1 Hash 0ab68a0d466aa626f2f23cb75922ed92 3cf3a5cd8dbe1ed756aa990d79fb28d083746024 9000e2c53fb4c30a1d05f211dabcf3dad66461beb803f56ca00c07aa339d2c3b Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	7.5 kB	2024-03-28	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-03-28 14:51:45 Last Seen2024-05-18 13:43:55 Times Seen5 Hash 10b2e7c6c5017d1cf2971b114a2cb44d 36fe244f9a972133fea0229d11b396b2c1314412 8f5c7cc1a3aa2b696c047c69236d477640f9cd3e41790fa5234d35596b643900 Loading...

	cdn.jsdelivr.net/npm/@finsweet/attributes-richtext@1/richtext.js	8.5 kB	2023-05-24	2024-05-18
Pretty URL cdn.jsdelivr.net/npm/@finsweet/attributes-richtext@1/richtext.js IP 151.101.193.229 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-24 02:55:14 Last Seen2024-05-18 13:43:57 Times Seen35 Hash 10fb79a20b31843bd41eada7ff576ab7 238d6ffa8ab8e372cf401e9a3ea322976eeaf506 2c699eb55ae3fe61b3d783c8936ab1eb949c596a5c89118f703e328ede2b8308 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/4.36582b8b.chunk.js	55 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/4.36582b8b.chunk.js IP 0.0.0.0 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:59 Times Seen39 Hash eb4f4fdfa625f5036ae2538950af438e 84368c678066063c07f3b8ca2eda0cf8a4788f77 6a6a06c6f8fb209f9e92af2bb5ed0c0d0e767211a1a92e631e1d0ce056488387 Loading...

	js.hs-scripts.com/3911692.js	2.9 kB	2024-05-07	2024-05-07
Pretty URL js.hs-scripts.com/3911692.js IP 104.16.140.209 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:32 Times Seen2 Hash 6dcc4481754d4bd036b534742902119f 36fa30a6a3b686531978f1be8224b02fac2e78af 340c7e135aca4964cf3542da8cbb80c5e911a068cb0b47b700e257ebf678ab50 Loading...

	unknown	232 B	2024-02-24	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2024-02-24 10:09:20 Last Seen2024-05-18 13:43:53 Times Seen6 Hash 86cd11c7233da36ffcff13d396bd5868 1856c22c293f91311911ff38fa7bcdef9058ac2a ae20a0e63fb7d9fae60ff67899289b65ee94272e56c24abcc79ecf1bf9549d02 Loading...

	unknown	398 B	2023-09-19	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen10 Hash 77b0943b2690165ec3a8bb042b7f1907 5528d9d1f999318d084e6b23c1058ed91b5303dd 46ec5178eb676091b85630b642df0108e9b700a2e810088504b08ff529b35b95 Loading...

	bat.bing.com/bat.js	46 kB	2024-03-01	2024-05-19
Pretty URL bat.bing.com/bat.js IP 204.79.197.237 ASN #8068 MICROSOFT-CORP-MSN-AS-BLOCK Introduced by scriptElement Embedded in HTML false Observations First Seen2024-03-01 02:46:32 Last Seen2024-05-19 16:51:06 Times Seen6717 Hash 72bca04fd669eb89fc65d59052d0fc00 27e60aef86f0cb1b2f6b6ed9df9a4e3ba88efd21 823804a7807864b44093a3843788f4cd076e89cf4a6fdeb8d153ae5c2c2df721 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/26.69219246.chunk.js	16 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/26.69219246.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:56 Times Seen44 Hash c41c7243f45ea540e99a3256f4942432 4a6ca42e84579ccf2be93cdf1f695cab9e845789 d674a115404e8d29a650437584421bd9d7ec57c4d43fe3e0a09adc080d521c44 Loading...

	unknown	327 B	2024-01-01	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2024-01-01 16:33:04 Last Seen2024-05-18 13:43:55 Times Seen8 Hash a0d9106cbecce23eaa3a76c6f39bb3ea 380396fcdf3739033c27cc18ac7cf4a2eab319be 3cd7982d2dd864bbe55d19e90aff12172fd6c77df35e7eef18cdb0676c59c4c4 Loading...

	www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve	37 kB	2024-05-07	2024-05-07
Pretty URL www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve IP 142.250.74.132 ASN #15169 GOOGLE Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:30 Times Seen1 Hash b8d3650c9bfcbb956d61e2df25a5c43b b7226c4aa53103d98d256764ebc7be37f530867d b65714c9e781e8bd05814d99c314aa33fb784916c5e20e3fef4de5cf2994cf6a Loading...

	js.hs-scripts.com/3911692.js	3.0 kB	2024-05-07	2024-05-07
Pretty URL js.hs-scripts.com/3911692.js IP 104.16.140.209 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:30 Last Seen2024-05-07 10:14:30 Times Seen1 Hash 1d45e4b4a1b38f28dbef3879ea98d521 dc1c1da337a7c97a9389138f76191b35955330ab 22ba2eb267abe1528d423035c4a0d989199e50ae03e6281e185aaec71f20bfdb Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/runtime~main.23dacaf3.js	6.1 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/runtime~main.23dacaf3.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:54 Times Seen24 Hash 7bebf8444c728503329344c5817cc4e6 d23975dc76a1b449861521a762210b86c292a6ea 7573e5629fdd86c1b9715e81fd55e01c7cf7febbfc3562f5acbb757c0d4cce64 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/18.9c1bd1fb.chunk.js	64 kB	2023-05-12	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/18.9c1bd1fb.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:41 Last Seen2024-05-19 03:09:36 Times Seen2877 Hash 02f09379c544befa413d22eb57ed41de 156ff3fbf28d890eb0f79754e436ac3a66b3de24 e555f4b34b579e6528d6bbd4819620a634c0759b41dfa99520b7ca5aa5117b11 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/40.31ef8dbf.chunk.js	12 kB	2023-05-12	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/40.31ef8dbf.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-05-12 15:12:42 Last Seen2024-05-18 13:43:54 Times Seen2524 Hash b0793fa46e8c0ae1846b7be8a833da35 5c97555ff1e0b97829e7f1d054b44f6c55b5ae97 bba54915db71fc417be4d5852ec7d138d7c3fa90356ddee98b5267a7db7e6b5b Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/28.7257241a.chunk.js	50 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/28.7257241a.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:59 Times Seen43 Hash e737f53b0791dac4c523770b4992131c b5481823dc0043f54142a2b68fadee0c4c6075e6 f4d1dc5e2bebcc6c035e733b5586f308c032e377d490d733835fbc1fb0e5d979 Loading...

	unknown	316 B	2023-09-19	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:56 Times Seen9 Hash 34e9549bc7cfafa55d8af55c4ef1c156 70914adb2fec987d400becd6703d56d2c72c7c29 7eb5859e8f2434fb72ad2f14d83303f36441d5fbb67033f7f6aa6246ccb00046 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/9.4a3e9801.chunk.js	36 kB	2023-03-13	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/9.4a3e9801.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-13 08:43:52 Last Seen2024-05-19 03:09:43 Times Seen2788 Hash c6f58dd3d60f07462254b842dd4f9ca1 62c507fc6cc05f9732bcd5c593f3d8d0e0a3d7e2 2a8a441d8086f20a64563edc759aba1de84d932e34ff77b8bb0279a730cdb428 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/0.0b2ebd4a.chunk.js	8.8 kB	2023-03-07	2024-05-19
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/0.0b2ebd4a.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:10:31 Last Seen2024-05-19 03:09:37 Times Seen1575 Hash c5efcdc9e465604f32cf24af10fd6c13 20fb642d2bfa7b5593ccf14aa11fff2ccc3e8df8 862bae5c822d87db86d0b893f474177ca1d9a51309354f12cc0ab85cd9bd9cf7 Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	2.4 kB	2024-05-07	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-05-07 10:14:31 Last Seen2024-05-18 13:43:55 Times Seen4 Hash b276130a90ab14ecb4f9adb83567cd04 3774c265f3c1fd3b97f931d4f7405c75d88a51a2 9d3450f80fbdb90424226772fb752965cd0a7f78be31c21c9c0d5c8c3d3b7768 Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	300 B	2024-03-28	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-03-28 14:51:46 Last Seen2024-05-18 13:43:56 Times Seen5 Hash a9c70f5cd8790a7dbf0876942ee39ac5 a05e0a537f4b4a9e76039e87bc03a74117f297aa 351c969f2edff66a877dc8b58c5fbf036b77f93c15c5928bd1a777ed2b0b1fa1 Loading...

	tools.refokus.com/rich-text-enhancer/bundle.v1.0.0.js	1.7 kB	2023-03-07	2024-05-18
Pretty URL tools.refokus.com/rich-text-enhancer/bundle.v1.0.0.js IP 76.76.21.9 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:17:43 Last Seen2024-05-18 13:43:53 Times Seen12 Hash bfd9ff53d0c1baa43dbb0f44751f23e9 adae49e91e0e5515f82bd9a5fa211f551518e607 a577cc713533d7a1edbc5186c3f7b8788bbf317a857111150778d6a617220cec Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	1.7 kB	2024-01-01	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-01-01 16:33:04 Last Seen2024-05-18 13:43:56 Times Seen7 Hash 6a5783e4b038cbc78c9bbece2cc2173d 062636e3b7729ea5eb400cd9fc4d0e20a375c368 91712237c1eea7987190fec1df560eee743d96dc6fc7c7aba3003d67dffe5096 Loading...

	www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware	455 B	2024-02-04	2024-05-18
Pretty URL www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware IP 52.17.119.105 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-02-04 10:09:01 Last Seen2024-05-18 13:43:56 Times Seen6 Hash 29392cf308db79916d0eefd25684a4f9 3dcd5f44803e86355424a507de6202b3bbdf6874 564053dbef56d49e2bd7e104c453695a3474f0523572339a6de0220997d84593 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/3.bbe0e1fa.chunk.js	24 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/3.bbe0e1fa.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:59 Times Seen43 Hash b394f9cf6fe473cdb6852b332234aa52 0fbb71e9d746bfe0f3edf4329231e8b2573e664c ba3035c1cbfbd4ebb878f85acde3d846c6e9e90081de78ddcaf3126b4e8823b0 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/1.9d9c8c3b.chunk.js	55 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/1.9d9c8c3b.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:59 Times Seen44 Hash bc8dde7d353b792cb424661adcff29fb 392a67d13de4ec9028585fff40412ebaa1757e6c 5e4e01da0230734413d39e4657ac95b4ccf45092ff61a162aa1f4d111a166735 Loading...

	unknown	362 B	2023-09-19	2024-05-18
Pretty Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:53 Times Seen10 Hash 6823b4396d66119bef58330df01c8956 7c25a8735bb52da49a90f00e3d9f06b8620f05dc e9f006e1d40fb23023d54ff4da76e97f10df4b82ee3cbc91fb669e8da146ecd8 Loading...

	j.6sc.co/j/e666a54d-ff29-48f9-9baa-2be6ac05412e.js	837 B	2023-09-19	2024-05-18
Pretty URL j.6sc.co/j/e666a54d-ff29-48f9-9baa-2be6ac05412e.js IP 95.101.10.131 ASN #20940 Akamai International B.V. Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen19 Hash 29df5bb770be8e518fe2206581f712a6 2547b72c28d11642cb98341593af4d6d4d98754a 82ba33778a6595a59baef6e6964c64d7c3e9888c2bbf74461f1948b295db28e2 Loading...

	hubspotonwebflow.com/assets/js/form-124.js	10 kB	2024-03-22	2024-05-18
Pretty URL hubspotonwebflow.com/assets/js/form-124.js IP 76.76.21.61 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2024-03-22 21:10:44 Last Seen2024-05-18 13:43:59 Times Seen49 Hash 392ca1f460caa2aa9439969a89f31c13 04ace83023f1701540a5f3684c0d76e09d745e85 10ef3ba5308697292067120aee8cea7f3341a9a5e691475bc4a29805a5194939 Loading...

	cdn.neverbounce.com/widget/dist/NeverBounce.js	98 kB	2023-03-10	2024-05-18
Pretty URL cdn.neverbounce.com/widget/dist/NeverBounce.js IP 54.230.111.89 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-10 06:11:05 Last Seen2024-05-18 13:43:54 Times Seen203 Hash c1e06621030dfcba15b88abbcaa546eb f7b7ae2b4466464d37d362e4b3662cc0cf29241c c99d11cb4960d6e1918ed55d5bcbb316d38b51098e2efc1201904d7274d3273e Loading...

	js.hsleadflows.net/leadflows.js	564 kB	2024-04-03	2024-05-19
Pretty URL js.hsleadflows.net/leadflows.js IP 104.18.140.17 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-04-03 12:27:47 Last Seen2024-05-19 14:42:38 Times Seen371 Hash d252299cef5b9176cf0435e72e0baeeb 968a62d85c0d2e1322c27631422dfd196a427865 efb5dc6835aeb8a8e1615ca49df1828cfaf708dc73651c5f1c651f2d2ab3907a Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/33.ae4de0a0.chunk.js	37 kB	2023-03-08	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/33.ae4de0a0.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-08 14:23:36 Last Seen2024-05-18 13:43:54 Times Seen37 Hash db0cd5b66c52523e10b87a0c8a2db182 4894c769b95f40e47e3f9afe30c7760020a676bf e12404ccb0492da0a89fbda8db0ddb3c2358fcbd6d29b0c106ba840ca5f5e8ab Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/17.413337a8.chunk.js	41 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/17.413337a8.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:54 Times Seen43 Hash 4aea30e551ee7f04a564c0408c291306 8a11672b20991e181c119bcf712fd8337cb8358c 10b977a814bd9ca3e018a07b6e1197c9a9fa89a27a2419158d22f41ab8a29508 Loading...

	client-registry.mutinycdn.com/personalize/client/c9c27905c1e445d6.js	53 kB	2024-05-07	2024-05-09
Pretty URL client-registry.mutinycdn.com/personalize/client/c9c27905c1e445d6.js IP 151.101.129.91 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:31 Last Seen2024-05-09 11:20:06 Times Seen6 Hash c69b46ab54effaf2de56da176299834f ac1c10ee1d1be1825886c7c3658c57968245473d 0160f35f2f60526c902bea9e6e6d594ff715cfd573566fbeb5b9b2f7434efb2b Loading...

	huntresscdn.com/19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb.js	114 kB	2023-03-07	2024-05-18
Pretty URL huntresscdn.com/19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb.js IP 104.26.1.173 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 13:21:39 Last Seen2024-05-18 13:43:58 Times Seen74 Hash 5601f72e0dbb3fa292669d45d4166a82 16f8b5a472e992a7b3550a74b82afa32d172cb8b 19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/25.915ff314.chunk.js	48 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/25.915ff314.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen43 Hash 12bceaba2da6c30ab2a0aacbde681b0c 4460ae72fb30b1319ed6b37880b4a42ac80ce819 e5149bac0cdad7bbd9d1b7badb88909929d324ee90b6dd1628e0c59024d68e7c Loading...

	assets-global.website-files.com/6579dd0b5f9a54376d296915/js/huntress-new.c43690333.js	1.3 MB	2024-05-07	2024-05-07
Pretty URL assets-global.website-files.com/6579dd0b5f9a54376d296915/js/huntress-new.c43690333.js IP 3.164.240.122 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:31 Last Seen2024-05-07 10:14:31 Times Seen2 Hash c43690333dfc6e0f79e219b78e828664 4a5c285b819354ed26682d59b1aabfc0741c1472 0120871c98d8f9acd8debe42a348fad750a6a0a822cade30755447630a042e8d Loading...

	assets-global.website-files.com/6579dd0b5f9a54376d296915%2F6470f5217e03b0faa8a404de%2F658a9a0642f212b4ef59b0b2%2Fhs_trackcode_3911692-1.0.6.js	144 B	2024-01-01	2024-05-18
Pretty URL assets-global.website-files.com/6579dd0b5f9a54376d296915%2F6470f5217e03b0faa8a404de%2F658a9a0642f212b4ef59b0b2%2Fhs_trackcode_3911692-1.0.6.js IP 3.164.240.122 ASN #0 Introduced by scriptElement Embedded in HTML false Observations First Seen2024-01-01 16:33:04 Last Seen2024-05-18 13:43:57 Times Seen16 Hash f2387ad9877b2716a3df08933b84a986 9ee6bbb092965c6ba60cccad505039f98896a666 6ee38878cd3f57c918114ecd1a74bc75e5165f45fd1e9503056e8dc2e542288f Loading...

	api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_133060	62 B	2024-05-07	2024-05-07
Pretty URL api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_133060 IP 44.218.103.148 ASN #14618 AMAZON-AES Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 10:14:31 Last Seen2024-05-07 10:14:31 Times Seen1 Hash db36483807d05b3a25d1c53b55f25738 6fcf55628e936c852395181c66fbce8524d0ee36 245e5c62b83f77617aab58cc90a40c641cadbdd1d2a9175b96be2f9f0b25ac83 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/35.3969a3d7.chunk.js	12 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/35.3969a3d7.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen44 Hash dcd622adceee29d53432ca3f6e9eb777 03daf12e516e3d3ea54cf6d3b45ac10a5e72ff83 ca38f2df2a3be653605830a05931aeac85fbd1c3fa2e483a334fdc25e3463503 Loading...

	js.hsadspixel.net/fb.js	6.3 kB	2024-05-07	2024-05-07
Pretty URL js.hsadspixel.net/fb.js IP 104.17.223.152 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2024-05-07 00:41:19 Last Seen2024-05-07 14:32:40 Times Seen29 Hash eeced445dd619f5fac08890cddee2915 816b05188548053e9afe7d702755d65f7466c472 1da8f170c3865aeacd91c9b95531baec2b5dcd16174220092e3a3695ba6ef456 Loading...

	bat.bing.com/p/action/187059084.js	3.7 kB	2023-09-19	2024-05-18
Pretty URL bat.bing.com/p/action/187059084.js IP 204.79.197.237 ASN #8068 MICROSOFT-CORP-MSN-AS-BLOCK Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:58 Times Seen11 Hash 5e64b80a6b729154313b8788b2e8c9d2 ee2b2699774b13fcce9b12701291613a385ab281 cf8edbedfd479fe7cc642e3a1db515dd1103f2d7864f0db5cae6144fbde44ea4 Loading...

	cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js	43 kB	2023-03-07	2024-05-19
Pretty URL cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js IP 151.101.193.229 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:06:34 Last Seen2024-05-19 16:24:35 Times Seen35502 Hash d5a61c749e44e47159af8a6579dda121 3b41b3bc956685015a347a2238e71db29dfa0dbb 0c7178cc6ca34fb18e30f070a5e7a1c287b2d7ccfcba2cfdf06e0f46eda55740 Loading...

	rc-widget-frame.js.driftt.com/core/assets/js/16.890a0911.chunk.js	94 kB	2023-09-19	2024-05-18
Pretty URL rc-widget-frame.js.driftt.com/core/assets/js/16.890a0911.chunk.js IP 143.204.55.14 ASN #16509 AMAZON-02 Introduced by scriptElement Embedded in HTML false Observations First Seen2023-09-19 04:31:28 Last Seen2024-05-18 13:43:55 Times Seen38 Hash 52b055a08e59141b8f7b7947c7d7ab69 d7b5044f24cb8297e8369206024f747484a6c2a2 860c659e8836feb6a6b4fc4c9b7195e4ab0a04e4642473c0780ae554fbf6ffb2 Loading...

		Size	First Seen	Last Seen
	#1 Eval - ded828b25cc2231877fe61096670a3c9	22 kB	2024-05-07	2024-05-07
Pretty Observations First Seen2024-05-07 10:14:31 Last Seen2024-05-07 10:14:31 Times Seen1 Hash ded828b25cc2231877fe61096670a3c9 bf8462cf7ad93bd5697fd849c28861a579a8e0b5 bcbd0f702bb3b68c0c1f74837e1ffa579023d07fee8653fe7d9fc4a0e60e42ff Loading...

	#2 Eval - c6aa52404a51b2e51855d8d812e52238	64 B	2024-04-24	2024-05-07
Pretty Observations First Seen2024-04-24 19:40:38 Last Seen2024-05-07 15:06:47 Times Seen98 Hash c6aa52404a51b2e51855d8d812e52238 ee7ddc1af54c0421f7f2a26cec89ccd499861a25 825319eeb05ed675083102c989076f4a6136a3071919b69534e4851265729308 Loading...

	#3 Eval - e9cbf1bd955ae45c49b12ff0f10e8b5f	22 B	2024-04-24	2024-05-07
Pretty Observations First Seen2024-04-24 19:40:38 Last Seen2024-05-07 15:06:47 Times Seen98 Hash e9cbf1bd955ae45c49b12ff0f10e8b5f d84cffeeaaae2df7c82398665519ae47341c3ede 9a9cf9b3b63538a25fc946dd2c6263d26bcef0706131248a84bfa730c22ab455 Loading...

	#4 Eval - e895c824a46c6cedd68c675b509ed95e	22 B	2024-04-24	2024-05-07
Pretty Observations First Seen2024-04-24 19:40:38 Last Seen2024-05-07 15:06:47 Times Seen98 Hash e895c824a46c6cedd68c675b509ed95e bc17e6c6e27c8d6a1af38b76298950679d86b674 c823b057f65a9bc5d37cfad2cdea30a7ac8d536077e7a9f40c00cfc0e560b680 Loading...

HTTP Transactions (204)

URL IP Response Size

www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware

52.17.119.105

200 OK

33 kB

URL User Request GET HTTP/2
www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
IP
52.17.119.105:443
ASN
#16509 AMAZON-02

Certificate
IssuerLet's Encrypt
Subjectwww.huntress.com
Fingerprint92:BF:13:D1:13:76:95:AE:D7:4E:AE:E7:C9:36:58:5E:A0:08:99:5A
ValidityFri, 15 Mar 2024 15:18:07 GMT - Thu, 13 Jun 2024 15:18:06 GMT

File type
HTML document, Unicode text, UTF-8 text, with very long lines (41099)
Size
33 kB (33269 bytes)
Hash
7b57987f50c207d0d7375358d245f67b
485a581dd116f874a7b4ef2f7386253b8e8b6a70
77cd6b3978c89883442da2dd3a9f1f0b53288ece51a7e7301cd890b0b4df11ea

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

HTTP Headers

GET /blog/cobalt-strike-analysis-of-obfuscated-malware HTTP/1.1
Host: www.huntress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:49 GMT
content-type: text/html
content-length: 33269
referrer-policy: origin
content-security-policy: frame-ancestors 'self'
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-lambda-id: 3caf9ad9-1722-40f6-bb48-1b2d6d7e311f
content-encoding: gzip
accept-ranges: bytes
age: 51945
x-served-by: cache-iad-kiad7000086-IAD, cache-dub4358-DUB
x-cache: HIT, HIT
x-cache-hits: 7, 0
x-timer: S1715069629.370429,VS0,VE1
vary: Accept-Encoding,x-wf-forwarded-proto
x-cluster-name: eu-west-1-prod-hosting-red
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/css/huntress-new.c85951d37.min.css

3.164.240.122

200 OK

62 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/css/huntress-new.c85951d37.min.css
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Unicode text, UTF-8 text, with very long lines (65524), with no line terminators
Size
62 kB (62012 bytes)
Hash
c85951d377930466eaa50914e59469be
5a51f8ee4eedb30cca353fe0555d2494c7efc31f
3e26fa48f7232d476c7c109125c72e106f8f3c3f24526623a510870ff6177150

HTTP Headers

GET /6579dd0b5f9a54376d296915/css/huntress-new.c85951d37.min.css HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css
content-length: 62012
last-modified: Fri, 03 May 2024 17:32:17 GMT
x-amz-server-side-encryption: AES256
content-encoding: gzip
x-amz-version-id: fzgMz5O5fEzQYO07hKBYHstUkMOXE3Js
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 03:16:50 GMT
cache-control: max-age=84600, must-revalidate
etag: "f823ecabe3ecfb3c8f2721b46ec71a54"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 17820
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: jG8Mhs28a0w9DVByecomhE88lxfn5IKM5fyZf5QMyhbJnWVTA6DIhA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915%2F6470f5217e03b0faa8a404de%2F658a9a0642f212b4ef59b0b2%2Fhs_trackcode_3911692-1.0.6.js

3.164.240.122

131 B

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915%2F6470f5217e03b0faa8a404de%2F658a9a0642f212b4ef59b0b2%2Fhs_trackcode_3911692-1.0.6.js
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
ASCII text
Size
131 B (131 bytes)
Hash
f2387ad9877b2716a3df08933b84a986
9ee6bbb092965c6ba60cccad505039f98896a666
6ee38878cd3f57c918114ecd1a74bc75e5165f45fd1e9503056e8dc2e542288f

HTTP Headers

GET /6579dd0b5f9a54376d296915%2F6470f5217e03b0faa8a404de%2F658a9a0642f212b4ef59b0b2%2Fhs_trackcode_3911692-1.0.6.js HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
content-length: 131
date: Tue, 07 May 2024 02:39:16 GMT
last-modified: Tue, 26 Dec 2023 09:16:55 GMT
etag: "94d95acc94c6624c39cb9873e3da3787"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
content-encoding: gzip
x-amz-version-id: fKVYVp7VLozdKwo7Gp68VwPn_1qCAcOV
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 20074
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: AbuCujx0Lcw4M5k75TSA4S8aALnlJWc8wjxMoplWMZp40fpMgx0ltQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/655d92689c415e9fefcf2368/655d92689c415e9fefcf2400_Hero-grapic-right-02.png

3.164.240.122

5.0 kB

URL
assets-global.website-files.com/655d92689c415e9fefcf2368/655d92689c415e9fefcf2400_Hero-grapic-right-02.png
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 333 x 192, 8-bit/color RGBA, non-interlaced
Size
5.0 kB (5002 bytes)
Hash
d360d7cfb07b3fdc3fbc56204caa4c06
f582b6b5d60826165cf45c79dc0f971ea9bf2682
a1e79865576e220b93dfe34d011286a8335ee8ac4eb6450300fb45a4f15a600e

HTTP Headers

GET /655d92689c415e9fefcf2368/655d92689c415e9fefcf2400_Hero-grapic-right-02.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 5002
date: Sat, 30 Dec 2023 05:44:52 GMT
last-modified: Wed, 22 Nov 2023 05:32:26 GMT
etag: "d360d7cfb07b3fdc3fbc56204caa4c06"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: ds4He9jpqLhVudpNkauPNw12aaYIjxRr
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11154537
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 0A-CukLXgOJbCH-Pc52Zekut3is-rQhCLNrwQMWjMs2bKCSDzNSSNw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/65f75020c99f25928927347f_banner-blue-halo.webp

3.164.240.122

200 OK

24 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/65f75020c99f25928927347f_banner-blue-halo.webp
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
RIFF (little-endian) data, Web/P image
Size
24 kB (23574 bytes)
Hash
cd3521a7574865352fcc31cd4d968864
777b61ae21c7e62ed53ea3d9df3adb7021fd6983
889e4055351e629718cc9647a7f696cb4fb1e246bcf29bd25e2f8ce5105c27b5

HTTP Headers

GET /6579dd0b5f9a54376d296915/65f75020c99f25928927347f_banner-blue-halo.webp HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/webp
content-length: 23574
date: Wed, 17 Apr 2024 06:30:41 GMT
last-modified: Sun, 17 Mar 2024 20:18:41 GMT
etag: "cd3521a7574865352fcc31cd4d968864"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: VQxidV2D7M0v1MjkNARxPZzB4FkcrZg4
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 1734189
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: x1dZ1aPqUygx4pdiMDtYp3jx18nweUmOICSdSN0cn54lBmiGS-LqMg==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/66267cd1946bdc414612a045_banner-blue-halo-mobile.webp

3.164.240.122

11 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915/66267cd1946bdc414612a045_banner-blue-halo-mobile.webp
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
RIFF (little-endian) data, Web/P image
Size
11 kB (11112 bytes)
Hash
308d32f3c0dd65a14316ec46469ba463
2093090bc33b1c143023258e609791b92c47105b
640d525f0c6d09a6cdc4c6f6b0d44c4d2d92ce5e35ae1a945ccac5da67071f9d

HTTP Headers

GET /6579dd0b5f9a54376d296915/66267cd1946bdc414612a045_banner-blue-halo-mobile.webp HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/webp
content-length: 11112
date: Tue, 23 Apr 2024 14:35:53 GMT
last-modified: Mon, 22 Apr 2024 15:05:55 GMT
etag: "308d32f3c0dd65a14316ec46469ba463"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 5.DnT5LYsjXZnxPaoCXpF7pRsl7yIEO1
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 1186677
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: AYAdFD9FZb7KwV3z9YJACcYeM74s8bk2w2eD27-vtahE7vgsWAwDsA==
X-Firefox-Spdy: h2

cdn.jsdelivr.net/npm/@finsweet/attributes-richtext@1/richtext.js

151.101.193.229

200 OK

3.9 kB

URL GET HTTP/2
cdn.jsdelivr.net/npm/@finsweet/attributes-richtext@1/richtext.js
IP
151.101.193.229:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectjsdelivr.net
Fingerprint05:87:2C:BA:73:14:21:54:82:00:8B:AD:85:8F:E9:C6:4D:C7:66:09
ValidityWed, 27 Sep 2023 18:13:13 GMT - Mon, 28 Oct 2024 18:13:12 GMT

File type
JavaScript source, ASCII text, with very long lines (6938)
Size
3.9 kB (3918 bytes)
Hash
10fb79a20b31843bd41eada7ff576ab7
238d6ffa8ab8e372cf401e9a3ea322976eeaf506
2c699eb55ae3fe61b3d783c8936ab1eb949c596a5c89118f703e328ede2b8308

HTTP Headers

GET /npm/@finsweet/attributes-richtext@1/richtext.js HTTP/1.1
Host: cdn.jsdelivr.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=604800, s-maxage=43200
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 1.10.2
x-jsd-version-type: version
etag: W/"2147-I41v+oq443LPQB6aPqMil27q9QY"
content-encoding: br
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:49 GMT
age: 38042
x-served-by: cache-fra-eddf8230147-FRA, cache-hel1410029-HEL
x-cache: HIT, HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 3918
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a70_linkedin.svg

3.164.240.122

200 OK

675 B

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a70_linkedin.svg
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
675 B (675 bytes)
Hash
67b0ebebe9b8817edbfa41bdfd2e8c6e
3da84fce5654282e153f08f188405ac8d4e652c1
8f0f089b8d2746c56340171bba62f027d4d2dc0f520588d9480432693381e14a

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a70_linkedin.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 675
date: Sat, 30 Dec 2023 14:16:16 GMT
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: "67b0ebebe9b8817edbfa41bdfd2e8c6e"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: mMxIOUbXDP4hW6NdJCWI58VrmvAg.At1
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11123854
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: wkur0Wrq9KgGFA__bTm34DJ_Abbp6b01UCpAf7dcybrAgZ8F7s2LqQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5b_facebook.svg

3.164.240.122

200 OK

368 B

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5b_facebook.svg
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
368 B (368 bytes)
Hash
b92a7c9703a268bda64464e9f8c245fd
2dda281cf571cab9a7c37265803b71e6d8aab0a5
f2314da0b26cc727445f74c19d54f2f75944ea1a610497231ba6a5d9e541acf0

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5b_facebook.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 368
date: Thu, 28 Dec 2023 18:39:42 GMT
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: "b92a7c9703a268bda64464e9f8c245fd"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: RZplueeOMT9I2ezQMMUJ8cw13HoQeV5p
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11280848
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: jKws0LeANEqydLelhurF6Bwl_ScU9q82qSieIITcy2jV4Y7KScDD7g==
X-Firefox-Spdy: h2

cdn.jsdelivr.net/npm/medium-zoom@1.0.3/dist/medium-zoom.min.js

151.101.193.229

200 OK

3.1 kB

URL GET HTTP/2
cdn.jsdelivr.net/npm/medium-zoom@1.0.3/dist/medium-zoom.min.js
IP
151.101.193.229:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectjsdelivr.net
Fingerprint05:87:2C:BA:73:14:21:54:82:00:8B:AD:85:8F:E9:C6:4D:C7:66:09
ValidityWed, 27 Sep 2023 18:13:13 GMT - Mon, 28 Oct 2024 18:13:12 GMT

File type
JavaScript source, ASCII text, with very long lines (9133)
Size
3.1 kB (3091 bytes)
Hash
44a7121c73792eb5d3490f4f25d0ae8f
e5c93d914c5df0082507ed708f56aa021fef2c3b
89aa43cb2db8717165e898b18806ad757585f8815f9f514bb0afbd3c390def95

HTTP Headers

GET /npm/medium-zoom@1.0.3/dist/medium-zoom.min.js HTTP/1.1
Host: cdn.jsdelivr.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 1.0.3
x-jsd-version-type: version
etag: W/"2408-5ck9kUxd8AglB+1wj1aqAh/vLDs"
content-encoding: br
accept-ranges: bytes
age: 608256
date: Tue, 07 May 2024 08:13:49 GMT
x-served-by: cache-fra-etou8220020-FRA, cache-hel1410029-HEL
x-cache: HIT, HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 3091
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6f_twitter.svg

3.164.240.122

351 B

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6f_twitter.svg
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
351 B (351 bytes)
Hash
e0a4b7f37d6875804665234ecff1cb23
0e2742905b9ce562a70cd31b8a6735cc09ac40d8
553797b86e5516ebb3b4a6ffc794d7d9eca1fc1f3ca8ab0703e5eff9934e29c8

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6f_twitter.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 351
date: Thu, 28 Dec 2023 19:08:05 GMT
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: "e0a4b7f37d6875804665234ecff1cb23"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: qTS56BoR0gVqfX6mJuOtV4Wu10z6D4RY
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11279145
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: h9PQgRQ29Y-3qI1Iv4pS29gXpbn-Elq_wB5I3kp7GmAMV8wx5UljqQ==
X-Firefox-Spdy: h2

cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js

151.101.193.229

200 OK

11 kB

URL GET HTTP/2
cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js
IP
151.101.193.229:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectjsdelivr.net
Fingerprint05:87:2C:BA:73:14:21:54:82:00:8B:AD:85:8F:E9:C6:4D:C7:66:09
ValidityWed, 27 Sep 2023 18:13:13 GMT - Mon, 28 Oct 2024 18:13:12 GMT

File type
JavaScript source, ASCII text, with very long lines (42862)
Size
11 kB (11325 bytes)
Hash
d5a61c749e44e47159af8a6579dda121
3b41b3bc956685015a347a2238e71db29dfa0dbb
0c7178cc6ca34fb18e30f070a5e7a1c287b2d7ccfcba2cfdf06e0f46eda55740

HTTP Headers

GET /npm/slick-carousel@1.8.1/slick/slick.min.js HTTP/1.1
Host: cdn.jsdelivr.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 1.8.1
x-jsd-version-type: version
etag: W/"a76f-O0GzvJVmhQFaNHoiOOcdsp36Dbs"
content-encoding: br
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:49 GMT
age: 8185127
x-served-by: cache-fra-eddf8230096-FRA, cache-hel1410029-HEL
x-cache: HIT, HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 11325
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bf_Run%2520Key.png

3.164.240.122

71 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bf_Run%2520Key.png
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1318 x 835, 8-bit/color RGBA, non-interlaced
Size
71 kB (71187 bytes)
Hash
db2890bba34c7287827090246d94a77e
1a932de86e7f2d1a68435ee6b5d15b041f93fa35
e8d428fbce2c8713df7275735bbab7cb66fb022820de266ea8cbd269e0c2d4eb

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bf_Run%2520Key.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 71187
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "db2890bba34c7287827090246d94a77e"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: nOhn57iy9KroYTCfv8cQou7Ha0K3HnRN
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: C9PuRM0KRk0Fc-zfafNqTkvPONNnrP1VyjKIQCxq8uS_lz1I6Ve3Aw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b2_Dynamic%2520Analysis.png

3.164.240.122

200 OK

103 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b2_Dynamic%2520Analysis.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1178 x 319, 8-bit/color RGBA, non-interlaced
Size
103 kB (103192 bytes)
Hash
1ea035b6351e98778980092a8856a1e1
11ecbc219f3b4a19fb28d1582b99bcc6cfacd44a
996167ee36a996b0724251dbe5fd2f84223ae3020ba70fb66150065f580b271b

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b2_Dynamic%2520Analysis.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 103192
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "1ea035b6351e98778980092a8856a1e1"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: 4hta0SJvBUg6GjmkwSZzAt0YdTmsAlbi
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: NUbuArbiwSLXD-QUb-DmTmZ6qRBz_EBJhSOroCpuHvTjkoyPo6GDAQ==
X-Firefox-Spdy: h2

cdn.jsdelivr.net/npm/@snowplow/browser-plugin-button-click-tracking@latest/dist/index.umd.min.js

151.101.193.229

200 OK

2.0 kB

URL GET HTTP/2
cdn.jsdelivr.net/npm/@snowplow/browser-plugin-button-click-tracking@latest/dist/index.umd.min.js
IP
151.101.193.229:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectjsdelivr.net
Fingerprint05:87:2C:BA:73:14:21:54:82:00:8B:AD:85:8F:E9:C6:4D:C7:66:09
ValidityWed, 27 Sep 2023 18:13:13 GMT - Mon, 28 Oct 2024 18:13:12 GMT

File type
JavaScript source, ASCII text, with very long lines (4449)
Size
2.0 kB (2045 bytes)
Hash
86484fef1159bbf2971dd71f048267c1
5c687fbb4a13ee14db6905dfd7a8635777cdd0e5
66110db15bc55fa902401f14c8f25083dd0f7cfde33de392631a20f77312d017

HTTP Headers

GET /npm/@snowplow/browser-plugin-button-click-tracking@latest/dist/index.umd.min.js HTTP/1.1
Host: cdn.jsdelivr.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=604800, s-maxage=43200
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 3.23.0
x-jsd-version-type: version
etag: W/"1257-XGh/u0oT7hTbaQXf16hjV3fN0OU"
content-encoding: br
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:50 GMT
age: 8002
x-served-by: cache-fra-etou8220149-FRA, cache-hel1410029-HEL
x-cache: HIT, HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 2045
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b1_Debugger3.png

3.164.240.122

200 OK

67 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b1_Debugger3.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 874 x 205, 8-bit/color RGB, non-interlaced
Size
67 kB (67300 bytes)
Hash
8cab88f2b7d2916eac7a988ecf0d922f
a0864957b8e01dbc09e024c34bc17ba06de56f1a
c8db3bffc0bc4399c84798a07faf138e1ef91118bc07a05f7dccaf0ef9cb7f32

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b1_Debugger3.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 67300
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "8cab88f2b7d2916eac7a988ecf0d922f"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: uFZcXrPZ7DVsnOJpfa8dz09DO4gbwkH5
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: fm9tA-j8F4qOM8lfxb0lf4wL7dMmTM_n5fodUsRZp9tk8fTPcEfqwg==
X-Firefox-Spdy: h2

cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css

151.101.193.229

200 OK

1.8 kB

URL GET HTTP/2
cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css
IP
151.101.193.229:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectjsdelivr.net
Fingerprint05:87:2C:BA:73:14:21:54:82:00:8B:AD:85:8F:E9:C6:4D:C7:66:09
ValidityWed, 27 Sep 2023 18:13:13 GMT - Mon, 28 Oct 2024 18:13:12 GMT

File type
ASCII text
Size
1.8 kB (1776 bytes)
Hash
f38b2db10e01b1572732a3191d538707
a94a059b3178b4adec09e3281ace2819a30095a4
de1e399b07289f3b0a8d35142e363e128124a1185770e214e25e58030dad48e5

HTTP Headers

GET /npm/slick-carousel@1.8.1/slick/slick.css HTTP/1.1
Host: cdn.jsdelivr.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: text/css; charset=utf-8
x-jsd-version: 1.8.1
x-jsd-version-type: version
etag: W/"6f0-qUoFmzF4tK3sCeMoGs4oGaMAlaQ"
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:50 GMT
age: 6408965
x-served-by: cache-fra-eddf8230085-FRA, cache-hel1410029-HEL
x-cache: HIT, HIT
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 1776
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/personalize/client/c9c27905c1e445d6.js

151.101.129.91

200 OK

17 kB

URL GET HTTP/2
client-registry.mutinycdn.com/personalize/client/c9c27905c1e445d6.js
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (30631)
Size
17 kB (16842 bytes)
Hash
c69b46ab54effaf2de56da176299834f
ac1c10ee1d1be1825886c7c3658c57968245473d
0160f35f2f60526c902bea9e6e6d594ff715cfd573566fbeb5b9b2f7434efb2b

HTTP Headers

GET /personalize/client/c9c27905c1e445d6.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
x-amz-id-2: LCLBDr1uLy9MGR2W2nv1wMeWrLsxUNzG5zSV/SOatUVYStMgssS+VtLMIOE2WBEtCnVru7KoYOc=
x-amz-request-id: KJS60C8EKTCMTVW9
last-modified: Tue, 30 Apr 2024 19:44:47 GMT
etag: "c69b46ab54effaf2de56da176299834f"
x-amz-server-side-encryption: AES256
cache-control: s-maxage=3600, max-age=0
x-amz-version-id: 0X9TrTDnVCDmidY7kHEAEwkBhhAKiSpU
content-type: application/javascript
server: AmazonS3
x-continent-code: EU
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
age: 2904
date: Tue, 07 May 2024 08:13:50 GMT
via: 1.1 varnish
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 0
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 16842
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b7_Second%2520Binary.png

3.164.240.122

200 OK

478 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b7_Second%2520Binary.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1796 x 974, 8-bit/color RGBA, non-interlaced
Size
478 kB (478132 bytes)
Hash
4d323d56f55e7dde87be887139037712
2192a5850a6bf57371622e1b49c88bacebf4b9d8
10ecb174db163184338ed9dd5eb769732faaa913286164d35ce1ccd601be7b92

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b7_Second%2520Binary.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 478132
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "4d323d56f55e7dde87be887139037712"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: wPMp2FzzQ2c0HZ0cHZ2e5uu6GfvrVDzf
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: PBiFsYzqYF7AX0Q9FKmB0moW-STMC4OHv39_W0k-8I22EEqWrbAbrA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b4_Binary%25204_6.png

3.164.240.122

200 OK

82 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b4_Binary%25204_6.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1673 x 829, 8-bit/color RGBA, non-interlaced
Size
82 kB (82175 bytes)
Hash
98ed22cc7a3939bbda74e8f6366b7b75
d2670d0ce7b70d2f07e09e4607b118df390f822d
b854ab6c00b84bc607714ef164e6f4b64e39db6030061c7d1d68021992afb5d9

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b4_Binary%25204_6.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 82175
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "98ed22cc7a3939bbda74e8f6366b7b75"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: f.n0y94grvgZ6gIt6oKzvmlqJU2AA5QV
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: SX5Y5HPexSZv0wDOOja82crcTgWzrdItNYERa7x2U6g2WNUPlzjmdA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c1_IOC_7.png

3.164.240.122

200 OK

216 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c1_IOC_7.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1200 x 495, 8-bit/color RGB, non-interlaced
Size
216 kB (216241 bytes)
Hash
9b3b0f829b4881337d113e90ab3e42bf
045a094dc52ea08a9eb082cdd91f9e3102c5c71a
edde5f240b459fb933ec0023f0ba5e0ef44cf888bb7a438a17fa0ea68ac9c82c

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c1_IOC_7.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 216241
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "9b3b0f829b4881337d113e90ab3e42bf"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: kPOJs3YLl64mDYmMPXCQiGUVVTI8Sia.
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: IWUrxVCy2-qpr_g184PmXzqjuvSjpLDGs3mIHRty6o87oIPdAe0aNw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bb_Screen%2520Shot%25202021-05-20%2520at%25205-23-44%2520PM-png.png

3.164.240.122

200 OK

75 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bb_Screen%2520Shot%25202021-05-20%2520at%25205-23-44%2520PM-png.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 800 x 210, 8-bit/color RGB, non-interlaced
Size
75 kB (75033 bytes)
Hash
24935031f2cdf740de79abc481df8c50
e84b2a41cbc523ec21f7e7d4fb47587c22bff38e
a32a534e1388290826381a1dd8aa874f7e2ed7b23b6b1bc4b81a8078e02ff41d

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bb_Screen%2520Shot%25202021-05-20%2520at%25205-23-44%2520PM-png.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 75033
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "24935031f2cdf740de79abc481df8c50"
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: Y25VEC6PSiGFhFBWIjRmLlpMOTIXHSl8
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 7A3sW66smuTYTZuP0vOBWxwQ1TwcCPHxUEY3FFDNwtUnK9tG7Fp6tQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/js/huntress-new.c43690333.js

3.164.240.122

214 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915/js/huntress-new.c43690333.js
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (42312)
Size
214 kB (214524 bytes)
Hash
c43690333dfc6e0f79e219b78e828664
4a5c285b819354ed26682d59b1aabfc0741c1472
0120871c98d8f9acd8debe42a348fad750a6a0a822cade30755447630a042e8d

HTTP Headers

GET /6579dd0b5f9a54376d296915/js/huntress-new.c43690333.js HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/javascript
content-length: 214524
date: Tue, 07 May 2024 01:35:14 GMT
last-modified: Fri, 03 May 2024 17:32:17 GMT
etag: "09f4f751d96772978a17ea7931971407"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
content-encoding: gzip
x-amz-version-id: FEAYN5wbOTGuEagnKelmFJ5AkrZwvdYR
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 23917
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: Oers1eho-Q1USpwDKu2X_MX7fl4eeQM3k7Ee_Nb5zmXvulYPZSjm9g==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c5_IOC_3.png

3.164.240.122

200 OK

472 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c5_IOC_3.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 2168 x 678, 8-bit/color RGBA, non-interlaced
Size
472 kB (472314 bytes)
Hash
d0111b371223237f378271211c7e6600
9eb7abb6b760e7f3f2e7217ce0956a391147ed0e
962e22dc3f02d1aa0daaa54b33e2ba4d61b498919a687e463e4d41301b7f7f1c

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c5_IOC_3.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 472314
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "d0111b371223237f378271211c7e6600"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: iIMG4hBQIgvNOHQKkl9yJCngjSUB54.N
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: CbV-O_W_CO_5saMgBPfpqOO6ZlyXV4glI2XxgFmcShirrU0NSs_yHQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b3_continued%2520browsing.png

3.164.240.122

200 OK

137 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b3_continued%2520browsing.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 800 x 201, 8-bit/color RGB, non-interlaced
Size
137 kB (137433 bytes)
Hash
daa2974e31c9cbe7b25f3ad588c4619d
01aa7003a909b0a4de44784d5afc34771cb56a5b
62429bfac1613cac768479f5d36ad1c56a910d7fe6c4a7799efd374999497744

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b3_continued%2520browsing.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 137433
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "daa2974e31c9cbe7b25f3ad588c4619d"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: znsxSnGL85Bf6m6L3Eufjv9GHrfwPHCI
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: zKdb5rIkOfrL1L2wOnLJA_p7hADZNlXUZQgpRTU8h51e5WE4Z1Sj6w==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b5_Obfuscated.png

3.164.240.122

200 OK

233 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b5_Obfuscated.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1000 x 332, 8-bit/color RGB, non-interlaced
Size
233 kB (232596 bytes)
Hash
d4d5e0c14f3e1c913b9021f97aca5668
9ecef5651f07d94f16f8d9c6581751d2a50af6c1
306bb255b39765bc77840966585268313ab71b4e6b0d7932c72dbd03f1b0e4c2

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b5_Obfuscated.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 232596
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "d4d5e0c14f3e1c913b9021f97aca5668"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: .O9dCzonFm8Han4RQZ5eP5IAzZZfU_a5
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: arPKlpLwfdr-D3_KwFqtKwevrl8WFKXbT_SfyueY2gUa-U078XMtJQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ca_Binary%25204_4.png

3.164.240.122

200 OK

165 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ca_Binary%25204_4.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1981 x 388, 8-bit/color RGBA, non-interlaced
Size
165 kB (164679 bytes)
Hash
993317526cf3fcd181ac33e6b40d7c7a
2080ea33fc68022cd630f4811a5776e819610167
5fed1e221ac5ffb3af07a6de219cc92d0f560280af00596dba054b490678f19d

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ca_Binary%25204_4.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 164679
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "993317526cf3fcd181ac33e6b40d7c7a"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: s_IlN6wn85GMk.jJqkRkVeGx8SwvwJ9F
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 268ksvkulERVsyDJqcIZehgZxdGXj3OUQ04VbsVcToG0tyadTe60zA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b6_Traffic.png

3.164.240.122

200 OK

113 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b6_Traffic.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 900 x 306, 8-bit/color RGB, non-interlaced
Size
113 kB (113313 bytes)
Hash
c4c33358bc740e881bc146eae0b75486
f76e354dabb46a075a97124014e48d214ee33f4b
25634d5d26f85803778d4ac51978a5cf1d8dc0b4a17f4af681e396a4aec75bc6

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b6_Traffic.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 113313
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: YQSkw82Pp3HRPKPZEyn6bzKc8BRRe.Xk
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:50 GMT
cache-control: max-age=84600, must-revalidate
etag: "c4c33358bc740e881bc146eae0b75486"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: TPUpmayWMl2CFPkLR7TXBqKXPFtpdfclKA3ig_2QV3SHo8Jg-TOgTA==
X-Firefox-Spdy: h2

j.6sc.co/j/8769192b-20ba-4df2-8d62-2740a805c3e8.js

95.101.10.131

200 OK

510 B

URL GET HTTP/2
j.6sc.co/j/8769192b-20ba-4df2-8d62-2740a805c3e8.js
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
ASCII text, with very long lines (1002), with no line terminators
Size
510 B (510 bytes)
Hash
924fd1c8fe1063b3e4acf99764018260
b4c300cd2740481bb90d78d416129e1d51c7eae5
f143cdd47f943dca511fec190f6f8dc72123af1a03b0acc0b85006d3827469db

HTTP Headers

GET /j/8769192b-20ba-4df2-8d62-2740a805c3e8.js HTTP/1.1
Host: j.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
last-modified: Thu, 11 Apr 2024 18:58:58 GMT
x-amz-server-side-encryption: AES256
x-amz-meta-content-type: application/json
x-amz-version-id: zEBnpWOB89tdK2K_PjtVDO4IbLcELopv
accept-ranges: bytes
server: AmazonS3
etag: "924fd1c8fe1063b3e4acf99764018260"
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: mWQjfhw9zDEFIZFkn1sxL-qKA0Audr9067m9oEX0Yj6r_wFZN68WBQ==
vary: Accept-Encoding
content-encoding: gzip
expires: Tue, 07 May 2024 08:13:50 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:50 GMT
content-length: 510
content-type: application/javascript
X-Firefox-Spdy: h2

js.na.chilipiper.com/marketing.js

34.111.224.162

200 OK

22 kB

URL GET HTTP/2
js.na.chilipiper.com/marketing.js
IP
34.111.224.162:443
ASN
#396982 GOOGLE-CLOUD-PLATFORM

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoGetSSL
Subjectchilipiper.com
FingerprintA2:B6:D6:A3:6C:18:7C:E8:F7:23:1D:7B:23:65:C6:B6:72:A6:8A:39
ValidityMon, 05 Feb 2024 00:00:00 GMT - Fri, 07 Mar 2025 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
22 kB (22403 bytes)
Hash
d9ecfe9851e1570bcf308fd56d5dee0b
55f88395bd0304dac4b9c545ab37de48617403a6
02c65a6d1cdc752f31b0be2157d9c6f65e72c7f3e781eea941bd848caf8a332e

HTTP Headers

GET /marketing.js HTTP/1.1
Host: js.na.chilipiper.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-encoding: gzip
via: 1.1 google
content-length: 22403
date: Tue, 07 May 2024 08:13:50 GMT
cache-control: public, max-age=0, s-maxage=60, must-revalidate
last-modified: Tue, 30 Apr 2024 06:52:03 GMT
etag: W/"66309513-122e0"
content-type: application/javascript
vary: Accept-Encoding
age: 0
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin
x-content-security-policy: default-src 'self' blob: data: wss://*.chilipiper.com wss://*.chilipiper.io wss://*.chilipiper.cool wss://*.chilipiper.team https://*.chilipiper.com https://*.chilipiper.io https://*.chilipiper.cool https://*.chilipiper.team https://www.google-analytics.com https://www.googletagmanager.com https://static2.sharepointonline.com https://ajax.aspnetcdn.com https://appsforoffice.microsoft.com https://*.rollout.io https://*.facebook.com https://*.marketo.com https://*.mixpanel.com https://*.hubspot.com https://*.pardot.com https://*.getdrip.com https://*.google.com https://*.googleapis.com https://*.hsforms.net https://*.clearbit.com https://www.youtube.com https://s3.amazonaws.com https://sentry.io https://cdn.ravenjs.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://twemoji.maxcdn.com https://*.cloudfront.net https://intercom-sheets.com https://static.intercomassets.com https://js.intercomcdn.com https://cdn.segment.com https://api.segment.io https://maxcdn.bootstrapcdn.com https://*.intercom.io https://*.mutinycdn.com https://*.mutinyhq.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://*.bugsnag.com https://zoom.us https://*.gotomeeting.com https://*.rollout.io https://*.codox.io https://cdn.tiny.cloud https://js.stripe.com https://*.zdassets.com https://*.zendesk.com https://*.zopim.com wss://chilipiper.zendesk.com wss://*.zopim.com https://*.googleusercontent.com https://*.facebook.net https://*.doubleclick.net https://*.licdn.com https://*.googleadservices.com https://*.digitaloceanspaces.com https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://canny.io/sdk.js https://changelog-widget.canny.io https://edge.fullstory.com https://rs.fullstory.com https://*.lr-in-prod.com https://polyfill.io https://*.planhat.com https://*.sprig.com https://com-chilipiper-prod1.mini.snplow.net https://com-chilipiper-prod1.collector.snplow.net https://fast.chameleon.io https://js.chargify.com https://selfservice.maxio.com https://hooks.slack.com https://*.logr-ingest.com https://*.posthog.com 'unsafe-inline'; font-src 'self' data:  https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com https://fonts.googleapis.com https://js.intercomcdn.com; img-src * data: blob: 'unsafe-inline';
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: revalidated
content-security-policy: default-src 'self' blob: data: wss://*.chilipiper.com wss://*.chilipiper.io wss://*.chilipiper.cool wss://*.chilipiper.team https://*.chilipiper.com https://*.chilipiper.io https://*.chilipiper.cool https://*.chilipiper.team https://www.google-analytics.com https://www.googletagmanager.com https://static2.sharepointonline.com https://ajax.aspnetcdn.com https://appsforoffice.microsoft.com https://*.rollout.io https://*.facebook.com https://*.marketo.com https://*.mixpanel.com https://*.hubspot.com https://*.pardot.com https://*.getdrip.com https://*.google.com https://*.googleapis.com https://*.hsforms.net https://*.clearbit.com https://www.youtube.com https://s3.amazonaws.com https://sentry.io https://cdn.ravenjs.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://twemoji.maxcdn.com https://*.cloudfront.net https://intercom-sheets.com https://static.intercomassets.com https://js.intercomcdn.com https://cdn.segment.com https://api.segment.io https://maxcdn.bootstrapcdn.com https://*.intercom.io https://*.mutinycdn.com https://*.mutinyhq.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://*.bugsnag.com https://zoom.us https://*.gotomeeting.com https://*.rollout.io https://*.codox.io https://cdn.tiny.cloud https://js.stripe.com https://*.zdassets.com https://*.zendesk.com https://*.zopim.com wss://chilipiper.zendesk.com wss://*.zopim.com https://*.googleusercontent.com https://*.facebook.net https://*.doubleclick.net https://*.licdn.com https://*.googleadservices.com https://*.digitaloceanspaces.com https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://canny.io/sdk.js https://changelog-widget.canny.io https://edge.fullstory.com https://rs.fullstory.com https://*.lr-in-prod.com https://polyfill.io https://*.planhat.com https://*.sprig.com https://com-chilipiper-prod1.mini.snplow.net https://com-chilipiper-prod1.collector.snplow.net https://fast.chameleon.io https://js.chargify.com https://selfservice.maxio.com https://hooks.slack.com https://*.logr-ingest.com https://*.posthog.com 'unsafe-inline'; font-src 'self' data:  https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com https://fonts.googleapis.com https://js.intercomcdn.com; img-src * data: blob: 'unsafe-inline';
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c3_IOC_6.png

3.164.240.122

200 OK

396 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c3_IOC_6.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 858 x 411, 8-bit/color RGBA, non-interlaced
Size
396 kB (395650 bytes)
Hash
20cf1a48db31ed238dedb2dd4ed041bb
ae47e0193a477e917f5a00785563bc5bfebe75e7
2d322fdd489fb68eb8aac0383e064d076f6a562503eb8bff693524604d69fd3f

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c3_IOC_6.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 395650
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "20cf1a48db31ed238dedb2dd4ed041bb"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: IGOkvw75KD.Nam.oZ_Hnkg3syGHZsbYB
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 0C23skjp_E11rP0nEjdnZwZJC_AAuCHwEtfj0bYgVsxY_A3om-nn7A==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5a_download.svg

3.164.240.122

820 B

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5a_download.svg
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
820 B (820 bytes)
Hash
8d8c0614e1e224001d7c6dec535490b1
2a86f349a6a19b8d5476eaba60eea98e6bba28de
350cf9ff67297ce9f79b1a35fb7205326d21f149ab404f81ec875968f0b7d083

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a5a_download.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 820
date: Sat, 30 Dec 2023 14:16:16 GMT
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: "8d8c0614e1e224001d7c6dec535490b1"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 5Ss_XSS0A3iWbPuuBVg7J8jICwbGfHO4
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11123855
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: xZQGNQVA7wNB2soQlvAA-8igQQWbQelNq4eoGjoyHqcGAugw0WoGxA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a87_Blog%20detail%20Banner%20Glitch%20Left%20Bottom.webp

3.164.240.122

200 OK

6.8 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a87_Blog%20detail%20Banner%20Glitch%20Left%20Bottom.webp
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
RIFF (little-endian) data, Web/P image
Size
6.8 kB (6778 bytes)
Hash
2deea30793899f56a236f1ba505155ab
9b5e3882a00dd2bd7f39c402bfcff1398d62c229
6f3642cd8faa981a6b7f71cb0bd88a222ed7c92510100761c38f4bfd689853f2

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a87_Blog%20detail%20Banner%20Glitch%20Left%20Bottom.webp HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/webp
content-length: 6778
last-modified: Thu, 21 Dec 2023 07:39:51 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: .9LTfep43eO88TqIHc3WnYAIb3vaJe3A
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 05:36:35 GMT
cache-control: max-age=84600, must-revalidate
etag: "2deea30793899f56a236f1ba505155ab"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 9574
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: n8T4Apk96W-6Q2TDsANAzI0dijVqK93jhlsCbvhvzxpXae3mNPLfZw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a71_Blog%20banner%20Thumb%20Glitch%20Left.webp

3.164.240.122

200 OK

2.0 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a71_Blog%20banner%20Thumb%20Glitch%20Left.webp
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
RIFF (little-endian) data, Web/P image
Size
2.0 kB (1996 bytes)
Hash
8a941746cf0b15b4b601f10dac732f1c
17ed51a52c473aff4f0113bcbd78072d911bd090
1402811141d6cf6956918acd3398468bd385081a50b90a5d251fe7a3312c0801

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a71_Blog%20banner%20Thumb%20Glitch%20Left.webp HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/webp
content-length: 1996
last-modified: Thu, 21 Dec 2023 07:39:50 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: X1oARd.5yRkM1108eqnTnHXez5VJo2XZ
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 06:18:26 GMT
cache-control: max-age=84600, must-revalidate
etag: "8a941746cf0b15b4b601f10dac732f1c"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 6925
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: c7YJhEjJ_KygESzHzc7mfbEB12xzage1VtLur0ZuikR_yrBmjC006g==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c9_IOC_8.png

3.164.240.122

200 OK

431 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c9_IOC_8.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1610 x 596, 8-bit/color RGBA, non-interlaced
Size
431 kB (430898 bytes)
Hash
a9c972dad68fd735c5d0897a702284b6
bda804325d3678d1b30cbc8b00c4ff88ff54691e
5f60517e56b0e462d0958f187664371100ae9835925474044d4b2383ef63f22b

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c9_IOC_8.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 430898
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "a9c972dad68fd735c5d0897a702284b6"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: IBijZaqt..Xt_QcQcnzhbcfYTAfjz0tu
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: H5TP2W_kozMV4I8pMugaAVR_dtv21BfOrqZGBSpoA280CpNfiVue-A==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ba_Delphi.png

3.164.240.122

200 OK

464 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ba_Delphi.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1696 x 963, 8-bit/color RGBA, non-interlaced
Size
464 kB (463824 bytes)
Hash
020170fdd50f58c8a171d1739f4cbf3b
93fd3657c518a1a40d2e6a6b6673f797ad71cee2
fbe6272f892a2e99d79953cc86fd16544cdbbce9b992f538cf538047585d306f

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970ba_Delphi.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 463824
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "020170fdd50f58c8a171d1739f4cbf3b"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: KVCI4WFpfdI.t33s5YakwSorkNDxmDJU
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: YlxzdalliZpZRPOkuniN5ba_2gUZihgoohvv27mFEoxnso9z9_Lymw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c7_Binary%25205_2.png

3.164.240.122

200 OK

492 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c7_Binary%25205_2.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 2106 x 954, 8-bit/color RGBA, non-interlaced
Size
492 kB (492497 bytes)
Hash
e1294ae9dc0d9c368bd3337cd515d3c1
7f1953ae9a5c6ca6d73e03c5c56d5f357875ff01
3156b70d5e147fbaf90c9c7eef54659179f8f7e17be53cff890ac1e211d75ff4

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c7_Binary%25205_2.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 492497
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "e1294ae9dc0d9c368bd3337cd515d3c1"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: hy7e986UyLmCciCbYStUrlQ2YNwRsMwi
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61526
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: mpJrqC0zBB-UCNcwsGgSie64V554d3xBRbBwMdjtFo3aXTxDsht-ag==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c4_IOC_9.png

3.164.240.122

200 OK

550 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c4_IOC_9.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 2068 x 786, 8-bit/color RGBA, non-interlaced
Size
550 kB (549998 bytes)
Hash
677686011090fbe88d630c9cc46055ff
97b4897b73c5336e4a64438f79d2102056d1841f
63c7c746c77246d5263cf8c14d317e15a1f0129f17f5ffa0d74db5f59524190d

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c4_IOC_9.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 549998
date: Mon, 06 May 2024 15:08:24 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "677686011090fbe88d630c9cc46055ff"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: Z7fE2FCDfKHZCbZySswTo5KJS9spDUYG
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 61527
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: OdIXmLRTDyZlF3H9cdqvgNHMEvqeuqGkYdPhLNMCysU44ixkWit45A==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b9_Binary%2520File%25201.png

3.164.240.122

489 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b9_Binary%2520File%25201.png
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1688 x 959, 8-bit/color RGBA, non-interlaced
Size
489 kB (489084 bytes)
Hash
946f7179afbec4c4507bf3344bd2769e
adbf027b7995e27980926fe5f02d46e8335431e1
d5ef30f880252d6c8d8eb26b7c6b83d30b6703564ec01d8f7cc6c3c78695f673

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b9_Binary%2520File%25201.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 489084
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: p6YuUZzIk5EOxj2mbpu7SCazspG2Odrg
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "946f7179afbec4c4507bf3344bd2769e"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: K2VAqMLfEBeTpo6jOkO8cdWfbCK6tkwRIdbNULpLtukQ2ROLA8Qnlg==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b8_Binary4_2.png

3.164.240.122

200 OK

162 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b8_Binary4_2.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 800 x 564, 8-bit/color RGB, non-interlaced
Size
162 kB (162165 bytes)
Hash
9ce32a73eb256630b8f0025f27740b76
967a95a8dba9f8fdff6f258e4254fcb52ab39b17
1f609db7b275f0864e330e047d480d2ec35e284e2429e255a1dec78f47fcb71c

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970b8_Binary4_2.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 162165
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: w1cIu9kKwQNQDnuAedqNJUvrthR.PFhW
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "9ce32a73eb256630b8f0025f27740b76"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: z2sIr-KiKgL4cy47t6_bmB10YTUXMBHve0fyMVYbf396W95sjuIakQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970be_Values.png

3.164.240.122

359 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970be_Values.png
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 800 x 362, 8-bit/color RGB, non-interlaced
Size
359 kB (359167 bytes)
Hash
93d4ab08a17c98a970a8db5b34c0b103
7e0ef8c841eff174ad6da94926c585ed5e6486d4
3efa3b58992a04c06309aada9abea6ca6a1578b7001418099923cd2d2949d4ce

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970be_Values.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 359167
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: V5L6vkps5sURYZ2SsP7D_0W1cBAdZL_m
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "93d4ab08a17c98a970a8db5b34c0b103"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 1n5YOGHumKGQl9L-eFGqzSDZqu9EK9KcF7ZEgcNGr8fmlE3MLuzlqw==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bd_Binary%25205_1.png

3.164.240.122

200 OK

440 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bd_Binary%25205_1.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1919 x 496, 8-bit/color RGBA, non-interlaced
Size
440 kB (439813 bytes)
Hash
1b1456cfd25dac17810f7244181a8c0b
0d81ccf4669c8eb6dbb4b541de0ac330dee38740
32dea316312df50da8a7777af23c11a6c3ccaa8a3d8549aadb5414a159ced767

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970bd_Binary%25205_1.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 439813
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: 1iFpXWe0Si4IPVLInnbOp9EGvNAVF6yG
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "1b1456cfd25dac17810f7244181a8c0b"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: vA8bNsveYsBd4WkR2vz-lZCFs-U5x01vAMIWnOPdCKi-VMkHwtz1DQ==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c6_Binary%25204_5.png

3.164.240.122

200 OK

534 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c6_Binary%25204_5.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1504 x 1421, 8-bit/color RGBA, non-interlaced
Size
534 kB (534434 bytes)
Hash
f6a62239e500fb498c035828b05cd632
8e65a3bf78afe6ce6b769fbf39d74e3c32947773
eeca91299fa72342b22e6d491b8cebbad4ca67be02207a186f0cb23fc2ff48be

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c6_Binary%25204_5.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 534434
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: awMOiJNkANFzQY5NfhkC7zck27NkX5VC
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "f6a62239e500fb498c035828b05cd632"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: wSuEZCo7v4VDCFPcQvqTrx7dLdUIXLjEIgdL0myIzE_ma5syA1_MpA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c0_Debugger5.png

3.164.240.122

200 OK

373 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c0_Debugger5.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1918 x 478, 8-bit/color RGB, non-interlaced
Size
373 kB (372664 bytes)
Hash
ee4788ce8d3c8bfbb4159be72c70c800
16fd2ef9ecdb49df895fa991780482117d6312dd
b2578a23cdc8c152f39268e6989e88e1d4e8b457e10863c5e3913e6f53a8d89b

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c0_Debugger5.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 372664
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: ixCa1y7TCkwWmcsGTy4jFWAbk8Y0tNUh
accept-ranges: bytes
server: AmazonS3
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=84600, must-revalidate
etag: "ee4788ce8d3c8bfbb4159be72c70c800"
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: YaBQ-O-gSqcXapdXYUXzPIqlMelva_UnaOsMgiRIF_qJxGlVG1qlEg==
X-Firefox-Spdy: h2

j.6sc.co/6si.min.js

95.101.10.131

200 OK

18 kB

URL GET HTTP/2
j.6sc.co/6si.min.js
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
JavaScript source, ASCII text, with very long lines (31995)
Size
18 kB (17942 bytes)
Hash
bf231eb780489fffea00aef444500b14
f0d4603fa4441a3cf3773efffbda309001c579b0
95ef911fcf12dfe0a1fb5b17a3b24fa81c6b07b102b435949b06e7e124de51cb

HTTP Headers

GET /6si.min.js HTTP/1.1
Host: j.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: application/javascript
etag: "662ae46d-10585"
last-modified: Thu, 25 Apr 2024 23:17:01 GMT
pragma: no-cache
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
vary: Accept-Encoding
content-encoding: gzip
cache-control: private, no-cache, proxy-revalidate
expires: Tue, 07 May 2024 08:13:51 GMT
date: Tue, 07 May 2024 08:13:51 GMT
content-length: 17942
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/4.5.3.4.js

151.101.129.91

200 OK

2.9 kB

URL GET HTTP/2
client-registry.mutinycdn.com/mutiny-client/4.5.3.4.js
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (7567), with no line terminators
Size
2.9 kB (2934 bytes)
Hash
4862c87e0df637869c7df8395202758f
982882b772a55b79664fc4cd4c5f959a21486dca
c305db8bbf0452e04ae20e49774fcec074d4cd90b456c2c968ba558a396119dc

HTTP Headers

GET /mutiny-client/4.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: kp43T182nSdMWajEFgO9fOSOH5PSKHXvif36vn58EIO0PSpMMaRt1DJ0LJR9sqYbZ9NSzRxjoG8=
x-amz-request-id: 2YT8Q8XA2G834WFP
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "4862c87e0df637869c7df8395202758f"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: P2mBnoeQjZKQ6u6wd1K_petu1fwXqOC0
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:51 GMT
via: 1.1 varnish
age: 1143767
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 5588
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 2934
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c2_Fourth%2520Binary.png

3.164.240.122

200 OK

530 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c2_Fourth%2520Binary.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 1694 x 961, 8-bit/color RGBA, non-interlaced
Size
530 kB (530248 bytes)
Hash
33a002d08480661a175cb84498a5b1c5
5cc50ff548fb824537a99c3c2dd9a42ca4bf99e2
87a0a8d723f2cff25bc452520d88ed1613f9b9e34114c403a30707a564a11312

HTTP Headers

GET /6579dd0b5f9a54376d296939/6579dd0b5f9a54376d2970c2_Fourth%2520Binary.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 530248
date: Tue, 07 May 2024 08:13:51 GMT
last-modified: Wed, 13 Dec 2023 16:34:36 GMT
etag: "33a002d08480661a175cb84498a5b1c5"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
cache-control: max-age=84600, must-revalidate
x-amz-version-id: Qj2B1oLfb.qSFsj41UYhwDAbcJplmNlW
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
access-control-allow-origin: *
x-cache: Miss from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: w50M2heB47u4otcX5Z_rj0VOBfGL8e1rBhMqS35Y-kELV45kTzBf8A==
X-Firefox-Spdy: h2

js.hs-scripts.com/3911692.js

104.16.140.209

200 OK

1.2 kB

URL GET HTTP/2
js.hs-scripts.com/3911692.js
IP
104.16.140.209:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecths-scripts.com
Fingerprint10:6A:CE:54:F8:1D:59:1E:1F:7D:DB:76:07:FC:FF:1A:7D:70:E9:BD
ValidityMon, 01 Apr 2024 23:22:11 GMT - Sun, 30 Jun 2024 23:22:10 GMT

File type
ASCII text, with very long lines (2931), with no line terminators
Size
1.2 kB (1205 bytes)
Hash
6dcc4481754d4bd036b534742902119f
36fa30a6a3b686531978f1be8224b02fac2e78af
340c7e135aca4964cf3542da8cbb80c5e911a068cb0b47b700e257ebf678ab50

HTTP Headers

GET /3911692.js HTTP/1.1
Host: js.hs-scripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:50 GMT
content-type: application/javascript;charset=utf-8
access-control-allow-credentials: true
access-control-allow-origin: https://www.huntress.com
access-control-max-age: 3600
cf-bgj: minify
cf-polished: origSize=3043
last-modified: Tue, 07 May 2024 08:09:18 GMT
vary: origin, Accept-Encoding
x-content-type-options: nosniff
x-hubspot-correlation-id: a535b15a-53ab-4963-890e-980124fda081
x-envoy-upstream-service-time: 4
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-served-by-pod: iad02/hubapi-td/envoy-proxy-5d47c8d44f-pqqjf
x-evy-trace-virtual-host: all
x-request-id: a535b15a-53ab-4963-890e-980124fda081
cf-cache-status: HIT
age: 90
expires: Tue, 07 May 2024 08:15:20 GMT
cache-control: public, max-age=90
server: cloudflare
cf-ray: 87ffc0c45d85b4ed-OSL
content-encoding: br
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/2.5.3.4.js

151.101.129.91

200 OK

22 kB

URL GET HTTP/2
client-registry.mutinycdn.com/mutiny-client/2.5.3.4.js
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (32121)
Size
22 kB (22324 bytes)
Hash
5f57bd67579ac324b2166b4130a8cc07
3e1ffee3e8f84fbacf09de556e9e461e5c0a7ff3
a452d07f0c98afcb2e862689e43aebfe63d8ed39628cd0db9d1a5bf2490f535c

HTTP Headers

GET /mutiny-client/2.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: zUV/nFsXY/kKWAMoFGZZMzQuy3PRdMam9YaRTkJah5W7ji/cH4GpnUDxGclwL5RZTHALngtwzNw=
x-amz-request-id: 2YT83ZEXX6435Q0Y
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "5f57bd67579ac324b2166b4130a8cc07"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: 6xUArQV8NAP2GNy6ZfEzSxp4ijhn301A
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:51 GMT
via: 1.1 varnish
age: 1143767
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 5609
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 22324
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/personalize/client_data/c9c27905c1e445d6.json

151.101.129.91

200 OK

2.4 kB

URL GET HTTP/2
client-registry.mutinycdn.com/personalize/client_data/c9c27905c1e445d6.json
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JSON text data
Size
2.4 kB (2445 bytes)
Hash
5ac77d7552f39e01e2afcc306e5c8927
02f0d91b034a7c5ebffe95f923c123ac9008c5fa
a6b98cd7916e999160189031f3bf066ff406b1f517ef1166939a89886d64b840

HTTP Headers

GET /personalize/client_data/c9c27905c1e445d6.json HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: HvN56E1vPqBEnjg2mPrT3L2A4ErbUt/qVNvH4Z97ztrg1+eqeBKJkY2OG+FO3LisqmoI/NSnUCM=
x-amz-request-id: EV8H5VVCSQ819FKT
last-modified: Tue, 30 Apr 2024 19:44:48 GMT
etag: "5ac77d7552f39e01e2afcc306e5c8927"
x-amz-server-side-encryption: AES256
cache-control: s-maxage=3600, max-age=0
x-amz-version-id: OcJil6LNSxyxyThW1iPlbFS6ySfmzcVB
content-type: application/javascript
server: AmazonS3
x-continent-code: EU
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
age: 2371
date: Tue, 07 May 2024 08:13:51 GMT
via: 1.1 varnish
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 0
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 2445
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/1.5.3.4.js

151.101.129.91

200 OK

32 kB

URL GET HTTP/2
client-registry.mutinycdn.com/mutiny-client/1.5.3.4.js
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
32 kB (31660 bytes)
Hash
eac830092663999c2be3f3efb0da7689
91c8dc54ded93e33a760383d788a6f52bb6846f6
6de536a2362cbe38a4f6e689f19e6727169ff98108d2a2bdaabe2a8a0fb3b358

HTTP Headers

GET /mutiny-client/1.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: xJOZ/gSfNkYAGvS2bUOsyBCFFbB7SHZFCpTIWt2RKWKF1eJpQmOcAHo9fjz7caWzT7KKNkz1P1k=
x-amz-request-id: 2YT2HKAK22ND4KKG
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "eac830092663999c2be3f3efb0da7689"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: T9Hgvtb5nzo0y0K1.atv2V3TnFSnvJ2i
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:51 GMT
via: 1.1 varnish
age: 1143766
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 5600
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 31660
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/6.5.3.4.js

151.101.129.91

200 OK

5.0 kB

URL GET HTTP/2
client-registry.mutinycdn.com/mutiny-client/6.5.3.4.js
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (15204), with no line terminators
Size
5.0 kB (4994 bytes)
Hash
d29de80cf4363fd641e6bb8c9576f803
72ec319bdbaaeb56e58341dc0859a7f4d86b43ff
870a0d4eda0b78ce739a6557840ab097d1a7464f0c5d3638cc2b862ead8505aa

HTTP Headers

GET /mutiny-client/6.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: R3iwNg3cHv4JWdaJbLOAxsV7I5nKs82EJWH+miB95+zPLxn+ay6O7385Mn+0HXASziwho1TqqyfnmVan0H2AWg==
x-amz-request-id: 2YTFJYE6M1KQHHCE
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "d29de80cf4363fd641e6bb8c9576f803"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: ZXS_McyJn9VwVOg8b425k3TP.SdGeNXn
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:51 GMT
via: 1.1 varnish
age: 1143767
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 5569
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 4994
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29694d_roboto-regular-webfont.woff2

143.204.55.45

200 OK

19 kB

URL GET HTTP/2
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29694d_roboto-regular-webfont.woff2
IP
143.204.55.45:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 19348, version 1.0
Size
19 kB (19348 bytes)
Hash
a0118c6d18835732ae0eb880babc7598
81d726606d57cbd2ad6db2f3e69fcebafef48723
7f62ee80b8c824f30ad6c278146632d25b7e159e0a9cd91a356068eb9340061c

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29694d_roboto-regular-webfont.woff2 HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/octet-stream
content-length: 19348
date: Thu, 28 Dec 2023 15:56:57 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:20 GMT
etag: "a0118c6d18835732ae0eb880babc7598"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 1upZc36cdk27x7Arg8l9thaL3L34ome5
accept-ranges: bytes
server: AmazonS3
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 11290615
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: nZAOM15qOTEfU8RZTTHsO-4y4pRrZXII4-fj9wwc5FsfJv7AGdX9KA==
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296925_hknova-regular-webfont.woff2

143.204.55.45

200 OK

18 kB

URL GET HTTP/2
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296925_hknova-regular-webfont.woff2
IP
143.204.55.45:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 17728, version 1.0
Size
18 kB (17728 bytes)
Hash
fd0185054945b2abe907dc7e524389c9
a4ff7f06142ecece5403a39d447323b784b00609
71425f588c17edb9905c3ed73aee0404b58772b91c8154fe53d3157f58f0b2e2

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296925_hknova-regular-webfont.woff2 HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/octet-stream
content-length: 17728
date: Fri, 29 Mar 2024 10:53:50 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:20 GMT
etag: "fd0185054945b2abe907dc7e524389c9"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: At.YFBHJO4EQclecPPM23aBnfk3j2h1H
accept-ranges: bytes
server: AmazonS3
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 3360002
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: OxTbEXb67tpDcJ5XYuDWQ07V9E9pSt_X0OesHly7_xl0S14FH88SeQ==
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29691d_hknova-bold-webfont.woff2

143.204.55.45

18 kB

URL
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29691d_hknova-bold-webfont.woff2
IP
143.204.55.45:0
ASN
#16509 AMAZON-02

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 18204, version 1.0
Size
18 kB (18204 bytes)
Hash
5aec097021a58170197314c745d296db
934a5302166092dc2d5532b914eb24fbc3bfdbe0
a4aba4543a40b2e2d78e4006eb941a3a18cf95dc81041ad362321a3995bcc898

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d29691d_hknova-bold-webfont.woff2 HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/octet-stream
content-length: 18204
date: Fri, 29 Mar 2024 10:53:50 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:20 GMT
etag: "5aec097021a58170197314c745d296db"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 4JksoGDTlz479HpJYtobtrz0YXSwp3Rx
accept-ranges: bytes
server: AmazonS3
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 3360002
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: w8TjO4--QlkAtmCIfnOrtSAnPf2kvqK_cDCdyX0dVsMBYLTDKP6aGw==
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296961_visuelt-bold-webfont.woff2

143.204.55.45

21 kB

URL
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296961_visuelt-bold-webfont.woff2
IP
143.204.55.45:0
ASN
#16509 AMAZON-02

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 21280, version 1.0
Size
21 kB (21280 bytes)
Hash
4be3159e8cb3fb66b8e847dd0bedb2ed
3fb4d28977d2ff710cc9a2ac8e9218cfe7772a1f
36b097a74149a547cc7fe1da7b5a9cacf6c36d2f91872f11874479e1d4fafee2

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296961_visuelt-bold-webfont.woff2 HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/octet-stream
content-length: 21280
date: Thu, 28 Dec 2023 15:56:56 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:20 GMT
etag: "4be3159e8cb3fb66b8e847dd0bedb2ed"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 6cft5KdwVHtlIu77Lo8AxPLF1V_1aCGv
accept-ranges: bytes
server: AmazonS3
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 11290616
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: dYA1-0OhBg8cb5q3XPS5RRRX_YP1S4tkfV3xIuh13AWzWkg5IykyIg==
X-Firefox-Spdy: h2

hubspotonwebflow.com/assets/js/form-124.js

76.76.21.61

20 kB

URL
hubspotonwebflow.com/assets/js/form-124.js
IP
76.76.21.61:0
ASN
#16509 AMAZON-02

File type
ASCII text
Size
20 kB (20410 bytes)
Hash
392ca1f460caa2aa9439969a89f31c13
04ace83023f1701540a5f3684c0d76e09d745e85
10ef3ba5308697292067120aee8cea7f3341a9a5e691475bc4a29805a5194939

HTTP Headers

GET /assets/js/form-124.js HTTP/1.1
Host: hubspotonwebflow.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
age: 1672096
cache-control: public, max-age=0, must-revalidate
content-disposition: inline; filename="form-124.js"
content-encoding: br
content-type: application/javascript; charset=utf-8
date: Tue, 07 May 2024 08:13:50 GMT
etag: W/"392ca1f460caa2aa9439969a89f31c13"
server: Vercel
strict-transport-security: max-age=63072000
x-matched-path: /assets/js/form-124.js
x-vercel-cache: HIT
x-vercel-id: arn1::c2s5w-1715069630156-394455a81d38
X-Firefox-Spdy: h2

huntresscdn.com/19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb.js

104.26.1.173

200 OK

114 kB

URL GET HTTP/2
huntresscdn.com/19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb.js
IP
104.26.1.173:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthuntresscdn.com
Fingerprint22:90:2E:56:80:49:0D:11:61:C0:98:0B:C3:6B:14:BC:C7:4E:FD:6E
ValidityMon, 08 Apr 2024 23:13:58 GMT - Sun, 07 Jul 2024 23:13:57 GMT

File type
JavaScript source, ASCII text, with very long lines (64903)
Size
114 kB (113865 bytes)
Hash
5601f72e0dbb3fa292669d45d4166a82
16f8b5a472e992a7b3550a74b82afa32d172cb8b
19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb

HTTP Headers

GET /19680a27e88da4a3713af26571b4849096e75d617f2845574af7fd15746256bb.js HTTP/1.1
Host: huntresscdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:51 GMT
content-length: 113865
cf-ray: 87ffc0cf993b7131-OSL
cf-cache-status: HIT
accept-ranges: bytes
access-control-allow-origin: *
age: 6925
cache-control: max-age=14400, maxage=14400
last-modified: Tue, 07 May 2024 06:18:26 GMT
vary: Origin, Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J8Yi58O8S6L0KC69JftFtXDMHblSMOKf%2FFYSNNx92x1OfySXXAxvAwIEofhNgQ%2FtCsx9Coii5ZiA8IPay%2Fk1%2FhLbuMKN%2B3nH6pI0YCYml93W4ELFfkGvHzoeM2azwf05lg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
X-Firefox-Spdy: h2

www.googletagmanager.com/gtm.js?id=GTM-TXRTDGW4

142.250.74.168

200 OK

106 kB

URL GET HTTP/2
www.googletagmanager.com/gtm.js?id=GTM-TXRTDGW4
IP
142.250.74.168:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google-analytics.com
Fingerprint93:6B:D2:9D:92:BE:2D:D8:02:67:82:83:5E:EF:A3:F9:13:F3:26:AE
ValidityTue, 16 Apr 2024 03:18:45 GMT - Tue, 09 Jul 2024 03:18:44 GMT

File type
JavaScript source, Unicode text, UTF-8 text, with very long lines (48189)
Size
106 kB (105606 bytes)
Hash
327a6b18b895968fbf2a57b251e2f2f7
2ceefa0d5e23a8999604439be35177705f4e4bae
d8f066922ed924dd699b32fa3d3029b7a6e1892d6516e3866bb1dde142eb254b

HTTP Headers

GET /gtm.js?id=GTM-TXRTDGW4 HTTP/1.1
Host: www.googletagmanager.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-headers: Cache-Control
content-encoding: br
vary: Accept-Encoding
date: Tue, 07 May 2024 08:13:51 GMT
expires: Tue, 07 May 2024 08:13:51 GMT
cache-control: private, max-age=900
last-modified: Tue, 07 May 2024 06:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains
cross-origin-resource-policy: cross-origin
server: Google Tag Manager
content-length: 105606
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/personalize/user_data/c9c27905c1e445d6.json?async=false&session_token=78f0abea-4b9c-4feb-938e-b8db9e7ae8cc&token=5737ea4b430c1742&visitor_token=84cd7e98-35aa-431b-bec7-3eeb9a5fb4cd

151.101.129.91

200 OK

281 B

URL GET HTTP/2
client-registry.mutinycdn.com/personalize/user_data/c9c27905c1e445d6.json?async=false&session_token=78f0abea-4b9c-4feb-938e-b8db9e7ae8cc&token=5737ea4b430c1742&visitor_token=84cd7e98-35aa-431b-bec7-3eeb9a5fb4cd
IP
151.101.129.91:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JSON text data
Size
281 B (281 bytes)
Hash
c9c30577fab2b228e8186014c8263809
b2358c5b878323d44cbffe14e15e45516965c6b5
114ee477db463164539505c0b14f7d7e40b6f1cd17fcb451bbec0b8ed3703e51

HTTP Headers

GET /personalize/user_data/c9c27905c1e445d6.json?async=false&session_token=78f0abea-4b9c-4feb-938e-b8db9e7ae8cc&token=5737ea4b430c1742&visitor_token=84cd7e98-35aa-431b-bec7-3eeb9a5fb4cd HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/json
access-control-expose-headers: x-cache, x-cache-hits, age
cache-control: no-store
content-encoding: gzip
server: Cowboy
x-async-user-data: false
x-visitor-token: 84cd7e98-35aa-431b-bec7-3eeb9a5fb4cd
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
accept-ranges: bytes
age: 0
date: Tue, 07 May 2024 08:13:52 GMT
via: 1.1 varnish
x-served-by: cache-hel1410024-HEL
x-cache: MISS
x-cache-hits: 0
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 281
X-Firefox-Spdy: h2

assets-global.website-files.com/655d92689c415e9fefcf2368/656079b2a6c055ce7d368e61_Secondary%20Text%20CTA%20Black%20(1).svg

3.164.240.122

200 OK

407 B

URL GET HTTP/2
assets-global.website-files.com/655d92689c415e9fefcf2368/656079b2a6c055ce7d368e61_Secondary%20Text%20CTA%20Black%20(1).svg
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
407 B (407 bytes)
Hash
7b97da408ecd186da2775e85d3b5fc35
8b4f66f24205e57e80a40b6b47033d0d40a06b55
ad1a0bf17b8433241806ec0b3cb9c17be616ea295df90068ab3e646de802e111

HTTP Headers

GET /655d92689c415e9fefcf2368/656079b2a6c055ce7d368e61_Secondary%20Text%20CTA%20Black%20(1).svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 407
date: Fri, 05 Jan 2024 14:43:06 GMT
last-modified: Fri, 24 Nov 2023 10:23:48 GMT
etag: "7b97da408ecd186da2775e85d3b5fc35"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: 6MUyKzg7.UI2lqy3cc43_aNDTQO42ExF
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 10603846
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 9i9Ic-ZQMFon6ynfn9vM_Msw2PzIOUQ1qxKpejZ3J6JkKA8LDxaBuA==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296939/660d84628ab92ac79f396cbc_Huntress-Default-Thumbnail-365x274.webp

3.164.240.122

200 OK

57 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296939/660d84628ab92ac79f396cbc_Huntress-Default-Thumbnail-365x274.webp
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
RIFF (little-endian) data, Web/P image
Size
57 kB (56712 bytes)
Hash
90e325489bb7300b9b0e7450932f076c
37f45c12dc8732a7b6823911ffa8c4e2fbd431aa
3bc3d6398e060891881fe64a203deb25ab6bc564867ba441bced61f643bf41eb

HTTP Headers

GET /6579dd0b5f9a54376d296939/660d84628ab92ac79f396cbc_Huntress-Default-Thumbnail-365x274.webp HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/webp
content-length: 56712
date: Sat, 06 Apr 2024 06:10:57 GMT
last-modified: Wed, 03 Apr 2024 16:31:31 GMT
etag: "90e325489bb7300b9b0e7450932f076c"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: BtdXOnNCPiDzOP3e6wE5N5puIfbXkApz
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 2685776
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: 0iLCDdovRbRLbiQbPYAfwamLnqc5bpcAbECon5gAwEkltQ-l0Xy9nA==
X-Firefox-Spdy: h2

tools.refokus.com/rich-text-enhancer/bundle.v1.0.0.js

76.76.21.9

200 OK

859 B

URL GET HTTP/2
tools.refokus.com/rich-text-enhancer/bundle.v1.0.0.js
IP
76.76.21.9:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecttools.refokus.com
FingerprintF9:21:1F:50:32:C8:78:F8:26:F6:8B:B5:58:F9:5A:91:A8:4E:D2:54
ValiditySun, 21 Apr 2024 00:02:32 GMT - Sat, 20 Jul 2024 00:02:31 GMT

File type
JavaScript source, ASCII text, with very long lines (1681), with no line terminators
Size
859 B (859 bytes)
Hash
bfd9ff53d0c1baa43dbb0f44751f23e9
adae49e91e0e5515f82bd9a5fa211f551518e607
a577cc713533d7a1edbc5186c3f7b8788bbf317a857111150778d6a617220cec

HTTP Headers

GET /rich-text-enhancer/bundle.v1.0.0.js HTTP/1.1
Host: tools.refokus.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
age: 1876526
cache-control: public, max-age=0, must-revalidate
content-disposition: inline; filename="bundle.v1.0.0.js"
content-encoding: br
content-type: application/javascript; charset=utf-8
date: Tue, 07 May 2024 08:13:50 GMT
etag: W/"bfd9ff53d0c1baa43dbb0f44751f23e9"
server: Vercel
strict-transport-security: max-age=63072000
x-vercel-cache: HIT
x-vercel-id: arn1::td9kd-1715069630151-1e8a0f4cbd5f
X-Firefox-Spdy: h2

js.hsleadflows.net/leadflows.js

104.18.140.17

200 OK

89 kB

URL GET HTTP/2
js.hsleadflows.net/leadflows.js
IP
104.18.140.17:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthsleadflows.net
Fingerprint2A:AE:F1:03:2C:4F:72:27:B3:89:5D:9B:C9:B1:AC:12:FE:A9:CA:8E
ValidityFri, 05 Apr 2024 00:07:39 GMT - Thu, 04 Jul 2024 00:07:38 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
89 kB (89119 bytes)
Hash
d252299cef5b9176cf0435e72e0baeeb
968a62d85c0d2e1322c27631422dfd196a427865
efb5dc6835aeb8a8e1615ca49df1828cfaf708dc73651c5f1c651f2d2ab3907a

HTTP Headers

GET /leadflows.js HTTP/1.1
Host: js.hsleadflows.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-allow-methods: GET
access-control-max-age: 3000
x-amz-replication-status: COMPLETED
last-modified: Wed, 03 Apr 2024 09:27:53 UTC
etag: W/"d252299cef5b9176cf0435e72e0baeeb"
x-amz-server-side-encryption: AES256
x-amz-version-id: FzXUOelq5PzvbDhLOc3Au0ThiCBuXHAc
vary: Accept-Encoding,Origin,Access-Control-Request-Headers,Access-Control-Request-Method
x-cache: Miss from cloudfront
via: 1.1 3f95374273631adbfd8e0d0a9f6d7b64.cloudfront.net (CloudFront)
x-amz-cf-pop: IAD12-P1
x-amz-cf-id: asxIQsb9eURxd7ebv7CqufV8fy6NWtcc2WydJVoo5lWoXHLHtEvoMA==
content-security-policy-report-only: frame-ancestors 'self'; report-uri https://send.hsbrowserreports.com/csp/report?resource=lead-flows-js/static-1.1338/bundle/main/lead-flows-release.js&cfRay=87c7739ebe8809a9-ARN
cache-control: s-maxage=86400, max-age=0
x-hs-target-asset: lead-flows-js/static-1.1338/bundle/main/lead-flows-release.js
x-content-type-options: nosniff
x-hs-cache-status: MISS
x-envoy-upstream-service-time: 32
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: 7b0d015c-4138-43de-ad92-614aea83245d
x-evy-trace-served-by-pod: iad02/app-td/envoy-proxy-68b7f7fbff-z4v48
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 7b0d015c-4138-43de-ad92-614aea83245d
cache-tag: staticjsapp-lead-flows-cloudflare-web-prod,staticjsapp-prod
cf-cache-status: HIT
age: 53995
server: cloudflare
cf-ray: 87ffc0d039470b59-OSL
content-encoding: br
X-Firefox-Spdy: h2

ipv6.6sc.co/

23.36.79.19

200 OK

4 B

URL GET HTTP/2
ipv6.6sc.co/
IP
23.36.79.19:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
ASCII text, with no line terminators
Size
4 B (4 bytes)
Hash
37a6259cc0c1dae299a7866489dff0bd
2be88ca4242c76e8253ac62474851065032d6833
74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b

HTTP Headers

GET / HTTP/1.1
Host: ipv6.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/html
content-length: 4
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:52 GMT
server-timing: cdn-cache; desc=HIT, edge; dur=1, ak_p; desc="1715069632240_388255503_133349385_17_650_4_21_21";dur=1
6si-ipv6: null
access-control-allow-origin: https://www.huntress.com
vary: Origin
X-Firefox-Spdy: h2

js.hscollectedforms.net/collectedforms.js

104.16.109.254

25 kB

URL
js.hscollectedforms.net/collectedforms.js
IP
104.16.109.254:0
ASN
#13335 CLOUDFLARENET

File type
JavaScript source, Unicode text, UTF-8 text, with very long lines (65392), with no line terminators
Size
25 kB (24831 bytes)
Hash
020909a609cf986b4a8a88cfb577a8db
b433b99760f44c8a494a5c13a07aa1a9933d0179
5c76dd89a767afd512ce6c6370424f39a632ebb736c16ac37952fbfd97575448

HTTP Headers

GET /collectedforms.js HTTP/1.1
Host: js.hscollectedforms.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-allow-methods: GET
access-control-max-age: 3000
x-amz-replication-status: COMPLETED
last-modified: Wed, 10 Apr 2024 18:06:23 UTC
x-amz-server-side-encryption: AES256
x-amz-version-id: _rd02ux3UWoVQsATQDf.p_LxkLPJ6umh
etag: W/"020909a609cf986b4a8a88cfb577a8db"
vary: Accept-Encoding,Origin,Access-Control-Request-Headers,Access-Control-Request-Method
x-cache: RefreshHit from cloudfront
via: 1.1 05133180bbd1649d4b8f97441bf305e8.cloudfront.net (CloudFront)
x-amz-cf-pop: IAD12-P3
x-amz-cf-id: dE-wvownKHvjrATS36ztN0Nm6avhkZMzhr2vRvasq79aoQ2XeIz8yQ==
content-security-policy-report-only: frame-ancestors 'self'; report-uri https://send.hsbrowserreports.com/csp/report?resource=collected-forms-embed-js/static-1.491/bundles/project.js&cfRay=87c9385268e7d906-ARN
cache-control: s-maxage=600, max-age=300
x-hs-target-asset: collected-forms-embed-js/static-1.491/bundles/project.js
x-content-type-options: nosniff
x-hs-cache-status: MISS
x-envoy-upstream-service-time: 54
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: 6c587d62-5999-4d4c-b720-6fdb444ee4e1
x-evy-trace-served-by-pod: iad02/app-td/envoy-proxy-68b7f7fbff-kgjsm
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 6c587d62-5999-4d4c-b720-6fdb444ee4e1
cache-tag: staticjsapp-collected-forms-embed-js-web-prod,staticjsapp-prod
cf-cache-status: HIT
age: 91
server: cloudflare
cf-ray: 87ffc0d0191356a4-OSL
content-encoding: br
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22a87a3edc53b5a86d1795d11887b5aa39%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%22c081b6bcc07a45b013b81ff3441b82387640805c%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCustomMetatags%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22storeTagId%5C%22%2C%5C%22value%5C%22%3A%5C%228769192b-20ba-4df2-8d62-2740a805c3e8%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableEventTracking%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCompanyDetailsExpiration%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableMapCookieCapture%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22a87a3edc53b5a86d1795d11887b5aa39%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%22c081b6bcc07a45b013b81ff3441b82387640805c%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCustomMetatags%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22storeTagId%5C%22%2C%5C%22value%5C%22%3A%5C%228769192b-20ba-4df2-8d62-2740a805c3e8%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableEventTracking%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCompanyDetailsExpiration%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableMapCookieCapture%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=ni%3AasyncSettingsAudit&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22a87a3edc53b5a86d1795d11887b5aa39%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setEpsilonKey%5C%22%2C%5C%22value%5C%22%3A%5C%22c081b6bcc07a45b013b81ff3441b82387640805c%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCustomMetatags%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22storeTagId%5C%22%2C%5C%22value%5C%22%3A%5C%228769192b-20ba-4df2-8d62-2740a805c3e8%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableEventTracking%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22setCompanyDetailsExpiration%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableMapCookieCapture%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%2C%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%220%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f020a0-2b"
last-modified: Sat, 18 Feb 2023 00:49:36 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:52 GMT
X-Firefox-Spdy: h2

js.hs-banner.com/cookie-banner-public/v1/activity/view

104.18.34.229

0 B

URL
js.hs-banner.com/cookie-banner-public/v1/activity/view
IP
104.18.34.229:0
ASN
#13335 CLOUDFLARENET

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

OPTIONS /cookie-banner-public/v1/activity/view HTTP/1.1
Host: js.hs-banner.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/octet-stream
content-length: 0
access-control-allow-origin: https://www.huntress.com
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Accept-Charset, Accept-Encoding, X-Override-Internal-Permissions, X-Properties-Source, X-Properties-SourceId, X-Properties-Flag, X-Hubspot-User-Id, X-Hubspot-Trace, X-Hubspot-Callee, X-Hubspot-Offset, X-Hubspot-No-Trace, X-HubSpot-Static-App-Info, X-HubSpot-Messages-Uri, X-HubSpot-Request-Source, X-HubSpot-Request-Reason, Subscription-Billing-Auth-Token, X-App-CSRF, X-Tools-CSRF, Online-Payment-Signing-UUID, X-Source, X-SourceId, X-Origin-UserId, X-Biden-Request-Source, X-HubSpot-CSRF-hubspotapi, X-Force-Cookie-Refresh, X-Force-Cookie-Refresh-No-Cache, X-HS-User-Request, X-Application-Id, X-HS-Referer, X-HubSpot-Correlation-Id
access-control-expose-headers: x-last-modified-timestamp, X-HubSpot-NotFound, X-HS-User-Request, Link, Server-Timing
access-control-allow-credentials: true
access-control-max-age: 604800
timing-allow-origin: *
vary: origin
x-envoy-upstream-service-time: 1
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: d6fa3106-021e-4e90-9a73-dbb9fee52348
x-evy-trace-served-by-pod: iad02/analytics-js-proxy-td/envoy-proxy-78cb6f459b-2r68v
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: d6fa3106-021e-4e90-9a73-dbb9fee52348
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0d1a926568e-OSL
X-Firefox-Spdy: h2

www.googletagmanager.com/gtag/js?id=G-GCTMBVFESS&l=dataLayer&cx=c

142.250.74.168

200 OK

109 kB

URL GET HTTP/3
www.googletagmanager.com/gtag/js?id=G-GCTMBVFESS&l=dataLayer&cx=c
IP
142.250.74.168:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google-analytics.com
Fingerprint93:6B:D2:9D:92:BE:2D:D8:02:67:82:83:5E:EF:A3:F9:13:F3:26:AE
ValidityTue, 16 Apr 2024 03:18:45 GMT - Tue, 09 Jul 2024 03:18:44 GMT

File type
JavaScript source, ASCII text, with very long lines (16362)
Size
109 kB (109114 bytes)
Hash
51a0cc148c57672669570f2b988e58dc
c1359f77b8d687e7cd99adef75a7521387958100
241937498fc871398b3a053286dfb2b260cd628ecbf94f1eb5caeea67ad9e5c8

HTTP Headers

GET /gtag/js?id=G-GCTMBVFESS&l=dataLayer&cx=c HTTP/1.1
Host: www.googletagmanager.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-headers: Cache-Control
content-encoding: br
vary: Accept-Encoding
date: Tue, 07 May 2024 08:13:52 GMT
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: private, max-age=900
strict-transport-security: max-age=31536000; includeSubDomains
cross-origin-resource-policy: cross-origin
server: Google Tag Manager
content-length: 109114
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

www.googletagmanager.com/gtag/destination?id=AW-429191348&l=dataLayer&cx=c

142.250.74.168

89 kB

URL
www.googletagmanager.com/gtag/destination?id=AW-429191348&l=dataLayer&cx=c
IP
142.250.74.168:0
ASN
#15169 GOOGLE

Certificate
IssuerGoogle Trust Services LLC
Subject*.google-analytics.com
Fingerprint93:6B:D2:9D:92:BE:2D:D8:02:67:82:83:5E:EF:A3:F9:13:F3:26:AE
ValidityTue, 16 Apr 2024 03:18:45 GMT - Tue, 09 Jul 2024 03:18:44 GMT

File type
JavaScript source, ASCII text, with very long lines (4179)
Size
89 kB (88876 bytes)
Hash
45a091d668bb7bbb032c21efb1464cf0
3a2e54ec1e698d30e367df695e74d9efa2e74814
883de3f902f579344839e517be4d07f11f358a06d2225470d8b1934e372cc26e

HTTP Headers

GET /gtag/destination?id=AW-429191348&l=dataLayer&cx=c HTTP/1.1
Host: www.googletagmanager.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-headers: Cache-Control
content-encoding: br
vary: Accept-Encoding
date: Tue, 07 May 2024 08:13:52 GMT
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: private, max-age=900
last-modified: Tue, 07 May 2024 06:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains
cross-origin-resource-policy: cross-origin
server: Google Tag Manager
content-length: 88876
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

js.hs-banner.com/cookie-banner-public/v1/activity/view

104.18.34.229

0 B

URL
js.hs-banner.com/cookie-banner-public/v1/activity/view
IP
104.18.34.229:0
ASN
#13335 CLOUDFLARENET

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

POST /cookie-banner-public/v1/activity/view HTTP/1.1
Host: js.hs-banner.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Content-Type: application/json
Content-Length: 136
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 204 No Content
date: Tue, 07 May 2024 08:13:52 GMT
access-control-allow-origin: https://www.huntress.com
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Accept-Charset, Accept-Encoding, X-Override-Internal-Permissions, X-Properties-Source, X-Properties-SourceId, X-Properties-Flag, X-Hubspot-User-Id, X-Hubspot-Trace, X-Hubspot-Callee, X-Hubspot-Offset, X-Hubspot-No-Trace, X-HubSpot-Static-App-Info, X-HubSpot-Messages-Uri, X-HubSpot-Request-Source, X-HubSpot-Request-Reason, Subscription-Billing-Auth-Token, X-App-CSRF, X-Tools-CSRF, Online-Payment-Signing-UUID, X-Source, X-SourceId, X-Origin-UserId, X-Biden-Request-Source, X-HubSpot-CSRF-hubspotapi, X-Force-Cookie-Refresh, X-Force-Cookie-Refresh-No-Cache, X-HS-User-Request, X-Application-Id, X-HS-Referer, X-HubSpot-Correlation-Id
access-control-expose-headers: x-last-modified-timestamp, X-HubSpot-NotFound, X-HS-User-Request, Link, Server-Timing
access-control-allow-credentials: true
access-control-max-age: 604800
timing-allow-origin: *
vary: origin
x-content-type-options: nosniff
x-envoy-upstream-service-time: 16
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: df3c3aa9-daa1-4a0e-b14a-7450aab61d56
x-evy-trace-served-by-pod: iad02/analytics-js-proxy-td/envoy-proxy-78cb6f459b-mnr7x
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: df3c3aa9-daa1-4a0e-b14a-7450aab61d56
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0d2aaf7568e-OSL
X-Firefox-Spdy: h2

www.redditstatic.com/ads/pixel.js

151.101.1.140

200 OK

11 kB

URL GET HTTP/2
www.redditstatic.com/ads/pixel.js
IP
151.101.1.140:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerDigiCert Inc
Subjectwww.redditstatic.com
Fingerprint2F:CB:EB:6E:79:ED:BE:34:24:FF:A9:C2:0C:D1:07:8D:56:7F:2F:16
ValidityMon, 08 Jan 2024 00:00:00 GMT - Sat, 06 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (39242)
Size
11 kB (11214 bytes)
Hash
b1de5a83f25d164f24b470c022d2a356
56b8a2b55612b3b4b8dbb4b550f1cd4e72d930dd
57bd3463acfad02c222f7beac208f69df5507f7de42fa38b18a1e1e48df2a44a

HTTP Headers

GET /ads/pixel.js HTTP/1.1
Host: www.redditstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
last-modified: Wed, 24 Apr 2024 17:35:49 GMT
etag: "c4d61fbb6e730a840c7f140cbb9bcd06"
x-amz-server-side-encryption: AES256
cache-control: public, max-age=60
content-encoding: gzip
content-type: application/javascript
via: 1.1 varnish, 1.1 varnish
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:52 GMT
vary: Accept-Encoding,Origin
server: snooserv
report-to: {"group": "w3-reporting-nel", "max_age": 14400, "include_subdomains": true,  "endpoints": [{ "url": "https://w3-reporting-nel.reddit.com/reports" }]}, {"group": "w3-reporting", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting.reddit.com/reports" }]}, {"group": "w3-reporting-csp", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-csp.reddit.com/reports" }]}
nel: {"report_to": "w3-reporting-nel", "max_age": 14400, "include_subdomains": false, "success_fraction": 0.02, "failure_fraction": 0.02}
content-length: 11214
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/9.5.3.4.js

151.101.129.91

11 kB

URL
client-registry.mutinycdn.com/mutiny-client/9.5.3.4.js
IP
151.101.129.91:0
ASN
#54113 FASTLY

Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, Unicode text, UTF-8 text, with very long lines (36996), with no line terminators
Size
11 kB (10858 bytes)
Hash
0f8515955a6446b73e42aae4ae97ae31
7e0bace557616aa54bead52ed670e96026dd2fc3
3c7a5808685fa3403acaf87c5dcda0bc93aa9c78680cdade5a4c646f987d5d6f

HTTP Headers

GET /mutiny-client/9.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: Hj0E55XHcEIu7SAkRxLundbIhL5313/9vFdLSLVhin1+b2+VrZCuIC7wWT3vC0QMKmBAljjgD1I=
x-amz-request-id: F38Y96AADB6R0BQX
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "0f8515955a6446b73e42aae4ae97ae31"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: 1u4mGCGXw_mWJ6lWa.B8TLQqgopkFO_q
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:52 GMT
via: 1.1 varnish
age: 1143766
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 3351
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 10858
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/7.5.3.4.js

151.101.129.91

2.8 kB

URL
client-registry.mutinycdn.com/mutiny-client/7.5.3.4.js
IP
151.101.129.91:0
ASN
#54113 FASTLY

Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (9203), with no line terminators
Size
2.8 kB (2781 bytes)
Hash
1cfc2f45f6b89c401b92e14faf2ef01a
e6f789986829fcef1221683e1812ee7440971a96
b770b98513581b8a54e633d0021e3bcd3935f08d8e7b8fe6e56401891c7f73f8

HTTP Headers

GET /mutiny-client/7.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: 4MvcCg7yjUDMZ9YdZ4O92cLr860mj71IFxEpO02gvPuJQQ3eoYC6jnclAjRcTJlH9/0uGdruEmI=
x-amz-request-id: F38KSJJPPWQ1FF1R
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "1cfc2f45f6b89c401b92e14faf2ef01a"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: Rt1BtuBkVe05.Nvj6tgzb0Pey2ZaErvL
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:52 GMT
via: 1.1 varnish
age: 1143766
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 2676
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 2781
X-Firefox-Spdy: h2

client-registry.mutinycdn.com/mutiny-client/10.5.3.4.js

151.101.129.91

2.6 kB

URL
client-registry.mutinycdn.com/mutiny-client/10.5.3.4.js
IP
151.101.129.91:0
ASN
#54113 FASTLY

Certificate
IssuerGlobalSign nv-sa
Subjectclient-registry.mutinycdn.com
FingerprintBE:CC:E4:53:CC:9D:DB:E2:58:80:16:06:86:DD:09:06:92:66:F8:9C
ValidityWed, 06 Mar 2024 21:56:19 GMT - Mon, 07 Apr 2025 21:56:18 GMT

File type
JavaScript source, ASCII text, with very long lines (7397), with no line terminators
Size
2.6 kB (2550 bytes)
Hash
bddf673724f89eb17c70ebd53a364b80
6afcc24c0f65a3fafedaa9f16c83b4dc6e25d54a
904b9d920e3433f48ebf530b9588f34c066d1ec02b97a6e1f42a9abbd189df7b

HTTP Headers

GET /mutiny-client/10.5.3.4.js HTTP/1.1
Host: client-registry.mutinycdn.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
x-amz-id-2: Sd1DXtLy/jBAv8hEqkeQbE3w+8b1+zCwadVKHAPmfmagtZB7108O0ZwDGscx8JI2ZcqUnjR+AMo=
x-amz-request-id: F38X49NEA19N4CWF
last-modified: Thu, 18 Apr 2024 14:44:59 GMT
etag: "bddf673724f89eb17c70ebd53a364b80"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000
x-amz-version-id: 1Jc6XLQ3DaHMkL225ESCW263GDmQhGoK
content-type: application/javascript
server: AmazonS3
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
access-control-max-age: 3000
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:52 GMT
via: 1.1 varnish
age: 1143766
x-served-by: cache-hel1410024-HEL
x-cache: HIT
x-cache-hits: 2666
vary: X-Continent-Code, Accept-Encoding
x-connection-speed: broadband
x-continent-code: EU
x-country-code: NO
x-edge-datacenter: HEL
x-edge-region: EU-East
content-length: 2550
X-Firefox-Spdy: h2

epsilon.6sense.com/v3/company/details

13.248.142.121

200 OK

382 B

URL GET HTTP/2
epsilon.6sense.com/v3/company/details
IP
13.248.142.121:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.6sense.com
Fingerprint1F:E9:D1:17:91:2F:85:0D:F6:B2:5A:FD:91:F5:B1:71:B2:0B:33:B2
ValiditySun, 31 Mar 2024 00:00:00 GMT - Tue, 29 Apr 2025 23:59:59 GMT

File type
JSON text data
Size
382 B (382 bytes)
Hash
c236df1ce34fb7a30c4e2ebfd21cafca
7c8a54e044e69ccd7eb6efecbc0c816543e54749
65723fd6a499fc6b72da5add4db94796ba3d3e1304cafa6bef10a882111c78cc

HTTP Headers

GET /v3/company/details HTTP/1.1
Host: epsilon.6sense.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Authorization: Token c081b6bcc07a45b013b81ff3441b82387640805c
X-6s-CustomID: WebTag 8769192b-20ba-4df2-8d62-2740a805c3e8
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/json
content-length: 382
server: nginx
x-trace-id: 8216554096661450288
timing-allow-origin: https://6sense.com, https://www.ssga.com
x-6si-region: eu-central-1a
access-control-expose-headers: X-6si-Region
access-control-allow-origin: https://www.huntress.com
access-control-allow-credentials: true
vary: Origin, Accept-Encoding
content-encoding: gzip
X-Firefox-Spdy: h2

q.quora.com/_/ad/83f2d51fb0164c438fbdaa8c29ed2e5e/pixel?tag=ViewContent&i=gtm&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware

52.2.7.148

43 B

URL
q.quora.com/_/ad/83f2d51fb0164c438fbdaa8c29ed2e5e/pixel?tag=ViewContent&i=gtm&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
IP
52.2.7.148:0
ASN
#14618 AMAZON-AES

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
df3e567d6f16d040326c7a0ea29a4f41
ea7df583983133b62712b5e73bffbcd45cc53736
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

HTTP Headers

GET /_/ad/83f2d51fb0164c438fbdaa8c29ed2e5e/pixel?tag=ViewContent&i=gtm&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware HTTP/1.1
Host: q.quora.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Type: image/gif
Date: Tue, 07 May 2024 08:13:52 GMT
Server: nginx
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Q-Stat: ,2d8908f15be58c3171ad9c22eeb26982,10.0.0.156,59140,91.90.42.154,,365336227258,1,1715069632.828,0.002,,.,0,0,0.000,0.004,-,0,0,203,185,92,10,26847,,,,,,-,
Content-Length: 43
Connection: keep-alive

j.6sc.co/j/e666a54d-ff29-48f9-9baa-2be6ac05412e.js

95.101.10.131

438 B

URL
j.6sc.co/j/e666a54d-ff29-48f9-9baa-2be6ac05412e.js
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
ASCII text, with very long lines (837), with no line terminators
Size
438 B (438 bytes)
Hash
29df5bb770be8e518fe2206581f712a6
2547b72c28d11642cb98341593af4d6d4d98754a
82ba33778a6595a59baef6e6964c64d7c3e9888c2bbf74461f1948b295db28e2

HTTP Headers

GET /j/e666a54d-ff29-48f9-9baa-2be6ac05412e.js HTTP/1.1
Host: j.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
last-modified: Fri, 18 Aug 2023 17:22:32 GMT
etag: "29df5bb770be8e518fe2206581f712a6"
x-amz-server-side-encryption: AES256
x-amz-meta-content-type: application/json
x-amz-version-id: iBgsOgE4Kr3Z0Ccj2rm1wK8VxmZ_A29h
accept-ranges: bytes
server: AmazonS3
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: erR_GAfYT1eWa_ExjlIMlbgANs4_ArGAsYFMjm8tTDyMaWNWz4aOWA==
vary: Accept-Encoding
content-encoding: gzip
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:52 GMT
content-length: 438
content-type: application/javascript
X-Firefox-Spdy: h2

www.redditstatic.com/ads/conversions-config/v1/pixel/config/t2_12z44i_telemetry

151.101.1.140

200 OK

98 B

URL GET HTTP/2
www.redditstatic.com/ads/conversions-config/v1/pixel/config/t2_12z44i_telemetry
IP
151.101.1.140:443
ASN
#54113 FASTLY

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerDigiCert Inc
Subjectwww.redditstatic.com
Fingerprint2F:CB:EB:6E:79:ED:BE:34:24:FF:A9:C2:0C:D1:07:8D:56:7F:2F:16
ValidityMon, 08 Jan 2024 00:00:00 GMT - Sat, 06 Jul 2024 23:59:59 GMT

File type
JSON text data
Size
98 B (98 bytes)
Hash
5143820daeb644938735d6b28c0059e7
22316bb57b4fa755662fd6f5fb7f749b21ac32a1
740bb313221bda5543b6fbe0bce3dd276cc70c4fd9aa0bae9d46b149406becf5

HTTP Headers

GET /ads/conversions-config/v1/pixel/config/t2_12z44i_telemetry HTTP/1.1
Host: www.redditstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
cache-control: max-age=300
content-type: application/json
content-encoding: gzip
accept-ranges: bytes
date: Tue, 07 May 2024 08:13:52 GMT
via: 1.1 varnish
vary: Accept-Encoding,Origin
server: snooserv
report-to: {"group": "w3-reporting-nel", "max_age": 14400, "include_subdomains": true,  "endpoints": [{ "url": "https://w3-reporting-nel.reddit.com/reports" }]}, {"group": "w3-reporting", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting.reddit.com/reports" }]}, {"group": "w3-reporting-csp", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-csp.reddit.com/reports" }]}
nel: {"report_to": "w3-reporting-nel", "max_age": 14400, "include_subdomains": false, "success_fraction": 0.02, "failure_fraction": 0.02}
content-length: 98
X-Firefox-Spdy: h2

js.driftt.com/include/1715069700000/5d3cypit2iz8.js

54.230.111.73

200 OK

61 kB

URL GET HTTP/2
js.driftt.com/include/1715069700000/5d3cypit2iz8.js
IP
54.230.111.73:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
Fingerprint8D:87:63:40:81:FD:69:E6:E5:7B:1B:D8:C5:49:BB:2A:A5:0B:A2:EE
ValidityTue, 15 Aug 2023 00:00:00 GMT - Wed, 11 Sep 2024 23:59:59 GMT

File type
gzip compressed data, from Unix
Size
61 kB (60939 bytes)
Hash
a63ac29d58c13d9e04e5ab33eca1d156
7314eeff343095b33be765d881713ec7025f9cdd
c6dc99732fc680cf5055b9f607d0c277bd7b5ea62098ecf01af350612cc66658

HTTP Headers

GET /include/1715069700000/5d3cypit2iz8.js HTTP/1.1
Host: js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript; charset=utf-8
server: istio-envoy
last-modified: Mon, 21 Aug 2023 14:57:31 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: fwT06mdOrTHjuLmyd8.idzR8VPd5.dxi
access-control-allow-credentials: true,true
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 46
via: 1.1 412b51478c24c00d9c9185312b00ffd0.cloudfront.net (CloudFront), 1.1 193a8c13b6e0a6b90db7172f6358335e.cloudfront.net (CloudFront)
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
content-encoding: gzip
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: max-age=10
etag: W/"576cdc1c0941a520c47b54aef3b463f7"
vary: Accept-Encoding
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: IAD61-P3, OSL50-P1
x-amz-cf-id: FQBV_riklfP6zScsm565GYuxkss-Z4sgxk1LU-LdIh4KI12vU5AeBQ==
X-Firefox-Spdy: h2

j.6sc.co/6si.min.js

95.101.10.131

200 OK

18 kB

URL GET HTTP/2
j.6sc.co/6si.min.js
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
JavaScript source, ASCII text, with very long lines (31995)
Size
18 kB (17942 bytes)
Hash
bf231eb780489fffea00aef444500b14
f0d4603fa4441a3cf3773efffbda309001c579b0
95ef911fcf12dfe0a1fb5b17a3b24fa81c6b07b102b435949b06e7e124de51cb

HTTP Headers

GET /6si.min.js HTTP/1.1
Host: j.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: application/javascript
etag: "662ae46d-10585"
last-modified: Thu, 25 Apr 2024 23:17:01 GMT
pragma: no-cache
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
vary: Accept-Encoding
content-encoding: gzip
cache-control: private, no-cache, proxy-revalidate
expires: Tue, 07 May 2024 08:13:53 GMT
date: Tue, 07 May 2024 08:13:53 GMT
content-length: 17942
X-Firefox-Spdy: h2

forms.hsforms.com/embed/v3/counters.gif?key=collected-forms-embed-js-form-bind&count=3

104.19.175.188

35 B

URL
forms.hsforms.com/embed/v3/counters.gif?key=collected-forms-embed-js-form-bind&count=3
IP
104.19.175.188:0
ASN
#13335 CLOUDFLARENET

File type
GIF image data, version 89a, 1 x 1
Size
35 B (35 bytes)
Hash
c2196de8ba412c60c22ab491af7b1409
5fbd472222feb8a22cf5b8aa5dc5b8e13af88e2b
6adc3d4c1056996e4e8b765a62604c78b1f867cceb3b15d0b9bedb7c4857f992

HTTP Headers

GET /embed/v3/counters.gif?key=collected-forms-embed-js-form-bind&count=3 HTTP/1.1
Host: forms.hsforms.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 07 May 2024 08:13:53 GMT
Content-Type: image/gif
Content-Length: 35
Connection: keep-alive
Cache-Control: max-age=0, no-cache, no-store
Vary: origin
Access-Control-Allow-Credentials: false
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-Origin-Hublet
X-Robots-Tag: none
x-envoy-upstream-service-time: 2
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
X-HubSpot-Correlation-Id: 185b2de3-d6fa-4601-92ab-6f5f5e4231df
x-evy-trace-served-by-pod: iad02/star-hubspot-td/envoy-proxy-9fd6b4b-lrtkq
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 185b2de3-d6fa-4601-92ab-6f5f5e4231df
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Set-Cookie: __cf_bm=tSBhQgar6Oz_CGtYvd2vm7jj2br4DH7e6JQvSwud4oQ-1715069633-1.0.1.1-ehGcqQ4r7nl5XG72krXqV.1pdWAKDFPbIfDFqvHqxk9lOztVc4xXaxTQ3qikiZgRTJD93B2FN9D2.oocItcYrA; path=/; expires=Tue, 07-May-24 08:43:53 GMT; domain=.hsforms.com; HttpOnly; Secure; SameSite=None
_cfuvid=xbke9AJTN2tw3tRdOHWELU8JcCqcNEjYJ1X6.7zrdWo-1715069633139-0.0.1.1-604800000; path=/; domain=.hsforms.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 87ffc0d65abab4ff-OSL
alt-svc: h3=":443"; ma=86400

c.6sc.co/

23.36.79.9

200 OK

7 B

URL GET HTTP/1.1
c.6sc.co/
IP
23.36.79.9:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
ASCII text, with no line terminators
Size
7 B (7 bytes)
Hash
d97623d172f087d9640da9acd38830ff
515bd358bb7d990930f0e2b3de399db1787a2567
fe04a9dc88d3f3be8d4f6bc63a9a80f45a4c6d8460e7551dab849457c091920a

HTTP Headers

GET / HTTP/1.1
Host: c.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 7
Date: Tue, 07 May 2024 08:13:53 GMT
Connection: keep-alive
Access-Control-Allow-Origin: https://www.huntress.com
Access-Control-Max-Age: 86400
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: GET,POST

ipv6.6sc.co/

23.36.79.19

200 OK

4 B

URL GET HTTP/2
ipv6.6sc.co/
IP
23.36.79.19:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
ASCII text, with no line terminators
Size
4 B (4 bytes)
Hash
37a6259cc0c1dae299a7866489dff0bd
2be88ca4242c76e8253ac62474851065032d6833
74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b

HTTP Headers

GET / HTTP/1.1
Host: ipv6.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: text/html
content-length: 4
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
server-timing: cdn-cache; desc=HIT, edge; dur=1, ak_p; desc="1715069633173_388255503_133353948_27_764_3_0_21";dur=1
6si-ipv6: null
access-control-allow-origin: https://www.huntress.com
vary: Origin
X-Firefox-Spdy: h2

ibc-flow.techtarget.com/a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4

34.111.208.231

200 OK

0 B

URL OPTIONS HTTP/2
ibc-flow.techtarget.com/a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4
IP
34.111.208.231:443
ASN
#396982 GOOGLE-CLOUD-PLATFORM

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectibc-flow.techtarget.com
Fingerprint4D:70:79:2A:68:8A:26:EF:2A:6D:9D:70:D6:50:DD:61:17:13:66:5A
ValidityMon, 06 May 2024 19:08:47 GMT - Sun, 04 Aug 2024 20:03:01 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

OPTIONS /a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4 HTTP/1.1
Host: ibc-flow.techtarget.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: ibc_rate_tier
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx/1.20.2
date: Tue, 07 May 2024 08:13:53 GMT
content-type: text/html; charset=UTF-8
content-length: 0
vary: Origin
x-guploader-uploadid: ABPtcPqsAfNJq4vnhhan8pPVtqfMMqzehrWyKvG-PclZd4qTrOzdF34Af-yWvPFpYWz5cDKOGRY-OkgLJQ
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: private, max-age=0
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: ibc_header,ibc_rate_tier,User-Agent,X-Requested-With,Cache-Control,Content-Type,Range
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22a87a3edc53b5a86d1795d11887b5aa39%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22950%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setToken%5C%22%2C%5C%22value%5C%22%3A%5C%22a87a3edc53b5a86d1795d11887b5aa39%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22950%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22952%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableIPv6Ping%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22952%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22951%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22disableCookies%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22951%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "60bb2e15-2b"
last-modified: Sat, 05 Jun 2021 07:56:05 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=6579dd0b5f9a54376d296915

143.204.42.99

200 OK

30 kB

URL GET HTTP/2
d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=6579dd0b5f9a54376d296915
IP
143.204.42.99:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.cloudfront.net
FingerprintFA:21:45:DC:4D:94:03:A3:09:77:51:78:4A:21:F2:C5:6D:94:BE:52
ValidityTue, 10 Oct 2023 00:00:00 GMT - Thu, 19 Sep 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65451)
Size
30 kB (30424 bytes)
Hash
dc5e7f18c8d36ac1d3d4753a87c98d0a
c8e1c8b386dc5b7a9184c763c88d19a346eb3342
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d

HTTP Headers

GET /js/jquery-3.5.1.min.dc5e7f18c8.js?site=6579dd0b5f9a54376d296915 HTTP/1.1
Host: d3e54v103j8qbb.cloudfront.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
access-control-allow-origin: *
access-control-allow-methods: GET
access-control-max-age: 3000
last-modified: Mon, 20 Jul 2020 17:53:02 GMT
server: AmazonS3
content-encoding: br
date: Tue, 07 May 2024 04:24:25 GMT
cache-control: max-age=84600, must-revalidate
etag: W/"dc5e7f18c8d36ac1d3d4753a87c98d0a"
vary: Accept-Encoding
via: 1.1 475d4ecb64796af058573c6f1048e898.cloudfront.net (CloudFront)
age: 13778
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: YSNYH511HP5aU6DMIqjxAfvlK-3aKANjtYO2cKTcYxpbpifbEt1azg==
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22957%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setWhiteListFields%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22957%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setCustomMetatags%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22958%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setCustomMetatags%5C%22%2C%5C%22value%5C%22%3A%5C%22%5B%5D%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22958%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f020a0-2b"
last-modified: Sat, 18 Feb 2023 00:49:36 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setCompanyDetailsExpiration%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22962%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22setCompanyDetailsExpiration%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22962%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22953%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableIgnorePageUrlHash%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22953%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22955%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableRetargeting%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22955%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22963%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableCompanyDetails%5C%22%2C%5C%22value%5C%22%3A%5C%22false%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22963%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%2C%22timeSpent%22%3A%221039%22%2C%22totalTimeSpent%22%3A%221039%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%2C%22timeSpent%22%3A%221039%22%2C%22totalTimeSpent%22%3A%221039%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%2C%22timeSpent%22%3A%221039%22%2C%22totalTimeSpent%22%3A%221039%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f020a0-2b"
last-modified: Sat, 18 Feb 2023 00:49:36 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

ibc-flow.techtarget.com/a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4

34.111.208.231

200 OK

43 B

URL OPTIONS HTTP/2
ibc-flow.techtarget.com/a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4
IP
34.111.208.231:443
ASN
#396982 GOOGLE-CLOUD-PLATFORM

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectibc-flow.techtarget.com
Fingerprint4D:70:79:2A:68:8A:26:EF:2A:6D:9D:70:D6:50:DD:61:17:13:66:5A
ValidityMon, 06 May 2024 19:08:47 GMT - Sun, 04 Aug 2024 20:03:01 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
fc94fb0c3ed8a8f909dbc7630a0987ff
56d45f8a17f5078a20af9962c992ca4678450765
2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

HTTP Headers

GET /a/gif.gif?actTypeId=31&cid=17715818&r=1715069632777&ref=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&version=2.4 HTTP/1.1
Host: ibc-flow.techtarget.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
ibc_rate_tier: 17715818
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: nginx/1.20.2
date: Tue, 07 May 2024 08:13:53 GMT
content-type: image/gif
content-length: 43
expires: Tue, 07 May 2024 09:13:53 GMT
cache-control: public, max-age=3600
last-modified: Thu, 08 Dec 2022 21:19:29 GMT
etag: "fc94fb0c3ed8a8f909dbc7630a0987ff"
x-goog-generation: 1670534369365034
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 43
x-goog-hash: crc32c=7uenZA==, md5=/JT7DD7YqPkJ28djCgmH/w==
x-goog-storage-class: STANDARD
accept-ranges: bytes
vary: Origin
x-guploader-uploadid: ABPtcPqZFFast7oUqslZoYxBKjXiwGthswaE_Oe3sxJHpIuPRLfn6yxGIruHzc2rfgd6zMsUsTU7cpP6IA
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: ibc_header,ibc_rate_tier,User-Agent,X-Requested-With,Cache-Control,Content-Type,Range
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableEventTracking%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22960%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22enableEventTracking%5C%22%2C%5C%22value%5C%22%3A%5C%22true%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22960%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "60bb2e15-2b"
last-modified: Sat, 05 Jun 2021 07:56:05 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6603101ade570b07f0fb6625_android-chrome-256x256.png

3.164.240.122

200 OK

24 kB

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6603101ade570b07f0fb6625_android-chrome-256x256.png
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Size
24 kB (23799 bytes)
Hash
be212a5e042601dc68e0f32a847200c6
d7ab3eb4cd34979e0730d186bd2f6438a8ef2d3a
9eb6a22abd66a8d40bd2dbfe0b61c9118c47536a261c09c0b41bc0e23afd7835

HTTP Headers

GET /6579dd0b5f9a54376d296915/6603101ade570b07f0fb6625_android-chrome-256x256.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 23799
date: Wed, 27 Mar 2024 20:08:04 GMT
last-modified: Tue, 26 Mar 2024 18:12:44 GMT
etag: "be212a5e042601dc68e0f32a847200c6"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: pg2ITmulUFtSq7BILLtMnJCMACcJ5rTM
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 3499550
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: Z7jHSY4PefyO46Mm9WO3UdT3cF54YvFMLEITA0dBQ0_O9En2FhgNlw==
X-Firefox-Spdy: h2

google.com/pagead/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1

142.250.74.142

200 OK

0 B

URL POST HTTP/2
google.com/pagead/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1
IP
142.250.74.142:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

POST /pagead/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1 HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Content-Length: 0

HTTP/2 200 OK
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
timing-allow-origin: *
cross-origin-resource-policy: cross-origin
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Tue, 07 May 2024 08:13:53 GMT
server: cafe
content-length: 0
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/66030a0ceace49bce51c36de_favicon-32x32.png

3.164.240.122

1.3 kB

URL
assets-global.website-files.com/6579dd0b5f9a54376d296915/66030a0ceace49bce51c36de_favicon-32x32.png
IP
3.164.240.122:0
ASN
#0

Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Size
1.3 kB (1294 bytes)
Hash
966e794cd99e0b0b48cd4df13cdc04a5
e9991ef20a57050b15de683d873bd7490876369a
c12f11d824a0e7cb513ff4574c1664ac5c3949efc35896edeb0612fe45f1c00b

HTTP Headers

GET /6579dd0b5f9a54376d296915/66030a0ceace49bce51c36de_favicon-32x32.png HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: image/png
content-length: 1294
date: Wed, 27 Mar 2024 20:08:04 GMT
last-modified: Tue, 26 Mar 2024 17:46:53 GMT
etag: "966e794cd99e0b0b48cd4df13cdc04a5"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: zgVWaHGriVUpkEY2ghAZ8_qygV1PEHYb
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 3499550
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: Qa1XSavLiiRe0IbEKlEvJZfO4UmqN6ORYo7Km2NHUVsZ6ZNvNCI84A==
X-Firefox-Spdy: h2

google.com/ccm/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1

142.250.74.142

204 No Content

0 B

URL POST HTTP/2
google.com/ccm/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1
IP
142.250.74.142:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

POST /ccm/form-data/429191348?gtm=45be4510v9136018371z89171248136za201&gcd=13l3lPl2l1&dma_cps=sypham&dma=1&npa=1&pscdl=noapi&auid=929865009.1715069632&ec_mode=a&em=tv.1 HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Content-Length: 0

HTTP/2 204 No Content
access-control-allow-origin: https://www.huntress.com
date: Tue, 07 May 2024 08:13:53 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, no-store, must-revalidate
access-control-allow-credentials: true
content-type: text/plain
cross-origin-resource-policy: cross-origin
server: Golfe2
content-length: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

region1.analytics.google.com/g/collect?v=2&tid=G-GCTMBVFESS&gtm=45je4560h2v9122196611z89171248136za200&_p=1715069631445&_gaz=1&gcd=13l3lPl2l1&npa=1&dma_cps=sypham&dma=1&cid=373740736.1715069633&ul=en-us&sr=1280x1024&pscdl=noapi&_s=1&sid=1715069632&sct=1&seg=0&dl=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&dt=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=3507

216.239.32.36

204 No Content

0 B

URL POST HTTP/2
region1.analytics.google.com/g/collect?v=2&tid=G-GCTMBVFESS&gtm=45je4560h2v9122196611z89171248136za200&_p=1715069631445&_gaz=1&gcd=13l3lPl2l1&npa=1&dma_cps=sypham&dma=1&cid=373740736.1715069633&ul=en-us&sr=1280x1024&pscdl=noapi&_s=1&sid=1715069632&sct=1&seg=0&dl=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&dt=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=3507
IP
216.239.32.36:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google-analytics.com
Fingerprint93:6B:D2:9D:92:BE:2D:D8:02:67:82:83:5E:EF:A3:F9:13:F3:26:AE
ValidityTue, 16 Apr 2024 03:18:45 GMT - Tue, 09 Jul 2024 03:18:44 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

POST /g/collect?v=2&tid=G-GCTMBVFESS&gtm=45je4560h2v9122196611z89171248136za200&_p=1715069631445&_gaz=1&gcd=13l3lPl2l1&npa=1&dma_cps=sypham&dma=1&cid=373740736.1715069633&ul=en-us&sr=1280x1024&pscdl=noapi&_s=1&sid=1715069632&sct=1&seg=0&dl=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&dt=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&en=page_view&_fv=1&_nsi=1&_ss=1&tfd=3507 HTTP/1.1
Host: region1.analytics.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Content-Length: 0

HTTP/2 204 No Content
access-control-allow-origin: https://www.huntress.com
date: Tue, 07 May 2024 08:13:53 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, no-store, must-revalidate
access-control-allow-credentials: true
content-type: text/plain
cross-origin-resource-policy: cross-origin
server: Golfe2
content-length: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

bat.bing.com/bat.js

204.79.197.237

200 OK

13 kB

URL GET HTTP/2
bat.bing.com/bat.js
IP
204.79.197.237:443
ASN
#8068 MICROSOFT-CORP-MSN-AS-BLOCK

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerMicrosoft Corporation
Subjectwww.bing.com
Fingerprint02:83:27:F9:50:D8:BE:B9:5E:DF:1A:4A:45:3B:6D:3C:BC:30:F2:58
ValidityWed, 01 May 2024 01:58:25 GMT - Thu, 27 Jun 2024 23:59:59 GMT

File type
JavaScript source, Unicode text, UTF-8 text, with very long lines (46429), with no line terminators
Size
13 kB (13261 bytes)
Hash
72bca04fd669eb89fc65d59052d0fc00
27e60aef86f0cb1b2f6b6ed9df9a4e3ba88efd21
823804a7807864b44093a3843788f4cd076e89cf4a6fdeb8d153ae5c2c2df721

HTTP Headers

GET /bat.js HTTP/1.1
Host: bat.bing.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
cache-control: private,max-age=1800
content-length: 13261
content-type: application/javascript
content-encoding: gzip
last-modified: Thu, 29 Feb 2024 19:58:06 GMT
accept-ranges: bytes
etag: "01b4e9c496bda1:0"
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EEF0B7D8C482458499DAC072FF9A387E Ref B: OSL30EDGE0111 Ref C: 2024-05-07T08:13:53Z
date: Tue, 07 May 2024 08:13:52 GMT
X-Firefox-Spdy: h2

epsilon.6sense.com/v3/company/details

13.248.142.121

200 OK

24 B

URL GET HTTP/2
epsilon.6sense.com/v3/company/details
IP
13.248.142.121:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.6sense.com
Fingerprint1F:E9:D1:17:91:2F:85:0D:F6:B2:5A:FD:91:F5:B1:71:B2:0B:33:B2
ValiditySun, 31 Mar 2024 00:00:00 GMT - Tue, 29 Apr 2025 23:59:59 GMT

File type
ASCII text, with no line terminators
Size
24 B (24 bytes)
Hash
0c5dad92482d9a7c7c253510f5082465
534b458f99b4d0bb90c2cf2c4bb3703ef44a52bf
5dbaf0a4ff0f8ac8c1b67550eee84390b089604ffaf71183e417636c7e183ac5

HTTP Headers

OPTIONS /v3/company/details HTTP/1.1
Host: epsilon.6sense.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,x-6s-customid
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
server: nginx
x-trace-id: 2768863816447745214
timing-allow-origin: https://6sense.com, https://www.ssga.com
x-6si-region: eu-central-1a
access-control-expose-headers: X-6si-Region
access-control-allow-origin: https://www.huntress.com
access-control-allow-credentials: true
access-control-max-age: 1800
access-control-allow-methods: OPTIONS,GET
access-control-allow-headers: authorization,x-6s-customid
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/runtime~main.23dacaf3.js

143.204.55.14

22 kB

URL
rc-widget-frame.js.driftt.com/core/assets/js/runtime~main.23dacaf3.js
IP
143.204.55.14:0
ASN
#16509 AMAZON-02

File type
gzip compressed data, from Unix
Size
22 kB (22390 bytes)
Hash
484f444c41e25481d20de82b4193c791
62c213a0795642e47000872e3d82a74af7432ae5
caa272acfa2c3b87c21268389fe3ec8ce83a6ef0a07ffbb6a540d36ce5f91bec

HTTP Headers

GET /core/assets/js/runtime~main.23dacaf3.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:52 GMT
last-modified: Mon, 21 Aug 2023 14:57:27 GMT
etag: W/"7bebf8444c728503329344c5817cc4e6"
x-amz-server-side-encryption: AES256
x-amz-version-id: pIvWjpmnkFEOPFn4Wb5jKsJCJYLlBZpR
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 45
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: nYw_vIEng68ZL9R84TgCCHPNqg2uBLfYAAOf4zxqdFUR0JCOMagjIw==
X-Firefox-Spdy: h2

www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__en.js

142.250.74.163

200 OK

206 kB

URL GET HTTP/3
www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__en.js
IP
142.250.74.163:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
JavaScript source, ASCII text, with very long lines (631)
Size
206 kB (205803 bytes)
Hash
e2e79d6b927169d9e0e57e3baecc0993
1299473950b2999ba0b7f39bd5e4a60eafd1819d
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

HTTP Headers

GET /recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/recaptcha__en.js HTTP/1.1
Host: www.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
content-encoding: gzip
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups; report-to="recaptcha"
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
content-length: 205803
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Tue, 07 May 2024 06:36:16 GMT
expires: Wed, 07 May 2025 06:36:16 GMT
cache-control: public, max-age=31536000
last-modified: Mon, 22 Apr 2024 21:03:35 GMT
content-type: text/javascript
vary: Accept-Encoding
age: 5857
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

www.google.no/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&tid=G-GCTMBVFESS&cid=373740736.1715069633&gtm=45je4560h2v9122196611z89171248136za200&aip=1&dma=1&dma_cps=sypham&gcd=13l3lPl2l1&npa=1&z=1746904562

142.250.74.163

42 B

URL
www.google.no/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&tid=G-GCTMBVFESS&cid=373740736.1715069633&gtm=45je4560h2v9122196611z89171248136za200&aip=1&dma=1&dma_cps=sypham&gcd=13l3lPl2l1&npa=1&z=1746904562
IP
142.250.74.163:0
ASN
#15169 GOOGLE

File type
GIF image data, version 89a, 1 x 1
Size
42 B (42 bytes)
Hash
d89746888da2d9510b64a9f031eaecd5
d5fceb6532643d0d84ffe09c40c481ecdf59e15a
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

HTTP Headers

GET /ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&tid=G-GCTMBVFESS&cid=373740736.1715069633&gtm=45je4560h2v9122196611z89171248136za200&aip=1&dma=1&dma_cps=sypham&gcd=13l3lPl2l1&npa=1&z=1746904562 HTTP/1.1
Host: www.google.no
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
timing-allow-origin: *
cross-origin-resource-policy: cross-origin
date: Tue, 07 May 2024 08:13:53 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, no-store, must-revalidate
content-type: image/gif
x-content-type-options: nosniff
server: cafe
content-length: 42
x-xss-protection: 0
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/19.6f85b843.chunk.js

143.204.55.14

5.4 kB

URL
rc-widget-frame.js.driftt.com/core/assets/js/19.6f85b843.chunk.js
IP
143.204.55.14:0
ASN
#16509 AMAZON-02

File type
gzip compressed data, from Unix
Size
5.4 kB (5420 bytes)
Hash
02319115fa1182a8a0a3950be6d774fb
b42b46cfbbbf3729dca0fd3270464d5f6ccecb80
dc751d09eaff4f09bdd30dee317d82369d72de96c017f0c16ebb1a82d2761d13

HTTP Headers

GET /core/assets/js/19.6f85b843.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:04 GMT
etag: W/"e28ebc3391b56e8f01ea063dc089e9d3"
x-amz-server-side-encryption: AES256
x-amz-version-id: oPn0z7U5uG2uIz4eC8eptCfl0SS6jCFv
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 20
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: tvbEgUq30A93qmAoikvy-HqZIJl43ysSNgI4lNVGZCWP8k4-NCzKug==
X-Firefox-Spdy: h2

cdn.neverbounce.com/widget/dist/NeverBounce.js

54.230.111.89

200 OK

49 kB

URL GET HTTP/2
cdn.neverbounce.com/widget/dist/NeverBounce.js
IP
54.230.111.89:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectneverbounce.com
FingerprintAA:14:38:26:16:0D:C2:06:23:FA:67:31:6D:06:B4:73:35:3A:18:67
ValidityMon, 29 Jan 2024 00:00:00 GMT - Tue, 25 Feb 2025 23:59:59 GMT

File type
JavaScript source, Unicode text, UTF-8 text, with very long lines (65532), with no line terminators
Size
49 kB (49215 bytes)
Hash
0b97937e5330c729bc253b8e1029b125
2dbc072b6d7c9f74b40635a44378287a66349a77
6f3a0f414871ec7e892077618750d081ca665f9a02fcd609a5f9c7a557c77fa3

HTTP Headers

GET /widget/dist/NeverBounce.js HTTP/1.1
Host: cdn.neverbounce.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
last-modified: Mon, 02 Mar 2020 18:37:33 GMT
server: AmazonS3
content-encoding: gzip
date: Tue, 07 May 2024 03:18:59 GMT
etag: W/"c1e06621030dfcba15b88abbcaa546eb"
vary: Accept-Encoding
x-cache: Hit from cloudfront
via: 1.1 c2b101e67ac25a2f0013450d56ecac38.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: EeDlBb9ZUmdt43yxeVIMbNwSjI41ZiZzqKdO93tgQxRMAziYHSMBAg==
age: 17694
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22timeSpent%22%3A%221031%22%2C%22totalTimeSpent%22%3A%222070%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22timeSpent%22%3A%221031%22%2C%22totalTimeSpent%22%3A%222070%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A53%20GMT%22%2C%22timeSpent%22%3A%221031%22%2C%22totalTimeSpent%22%3A%222070%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "5e502810-2b"
last-modified: Fri, 21 Feb 2020 18:57:20 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:54 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:54 GMT
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/css/28.e29661b2.chunk.css

143.204.55.14

200 OK

561 B

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/28.e29661b2.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with very long lines (561), with no line terminators
Size
561 B (561 bytes)
Hash
5847d5731c3141aa511411d6c66a193c
3512b4c00cdca627ce16257b360fffeff2ea9a83
d04196ec92f307c66ad56e3adbd4536e6c504a251299183c2c016de66a65af39

HTTP Headers

GET /core/assets/css/28.e29661b2.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: text/css
content-length: 561
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:23 GMT
etag: "5847d5731c3141aa511411d6c66a193c"
x-amz-server-side-encryption: AES256
x-amz-version-id: yOY99EI9PDEu6PYQSPkvCce7eoR8ev5W
accept-ranges: bytes
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 30
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: wh9nKRqmrVkRiZQt-BK9U-eOL3ch4et55WSDXGuERSo0OOgIihR-zw==
X-Firefox-Spdy: h2

www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css

142.250.74.163

200 OK

25 kB

URL GET HTTP/3
www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css
IP
142.250.74.163:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
ASCII text, with very long lines (56412), with no line terminators
Size
25 kB (24617 bytes)
Hash
2c00b9f417b688224937053cd0c284a5
17b4c18ebc129055dd25f214c3f11e03e9df2d82
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

HTTP Headers

GET /recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css HTTP/1.1
Host: www.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://www.google.com/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
accept-ranges: bytes
content-encoding: gzip
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups; report-to="recaptcha"
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
content-length: 24617
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Mon, 06 May 2024 15:37:51 GMT
expires: Tue, 06 May 2025 15:37:51 GMT
cache-control: public, max-age=31536000
last-modified: Mon, 22 Apr 2024 21:03:35 GMT
content-type: text/css
vary: Accept-Encoding
age: 59763
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

rc-widget-frame.js.driftt.com/core/assets/js/49.f7274268.chunk.js

143.204.55.14

200 OK

247 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/49.f7274268.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
247 kB (247426 bytes)
Hash
6b73924fb4f6ac476c1f48024223a355
e401c8b1c9b6b2c428d06423dab012f703a962d5
c60ace8da4d3a63d55d67a48b4309f61b19ff0cecdee4062db4ae586727d0a31

HTTP Headers

GET /core/assets/js/49.f7274268.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Tue, 19 Mar 2024 17:28:54 GMT
etag: W/"e268d36b98f0119a2bb1a15f69fd4ffe"
x-amz-server-side-encryption: AES256
x-amz-version-id: 2WNnvzoyjRNX5AbsVjt1SGOXrEQcQ1Da
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 23
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: xrwtTnCw9KoKJIaaBpZDDUqrJe3mOjaNiXORWC7I2IvLR9V1OV0Vvg==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/css/4.07aa08a5.chunk.css

143.204.55.14

200 OK

208 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/4.07aa08a5.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (7569)
Size
208 kB (207653 bytes)
Hash
87590c4073287d5ad77177cfcdec3b9d
77883bade9712d06821f96c361fc7613eea7f9a6
0ce0dc2a5b52f6840fb6dd8b577c471692029071208be353a1ee185a23a0a651

HTTP Headers

GET /core/assets/css/4.07aa08a5.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: text/css
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Tue, 05 Mar 2024 20:17:48 GMT
etag: W/"189aeffd571884559dababa22c66d75a"
x-amz-server-side-encryption: AES256
x-amz-version-id: nX2nlMvVeK4ZVkz8fnS9kpSVjFagwqZ5
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
content-encoding: gzip
x-envoy-upstream-service-time: 17
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: TUiYLz_VePWsnJNLdg1AaifJEolzdYgukLuAdD0tcWqCiGXLrkPSJg==
X-Firefox-Spdy: h2

fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2

216.58.207.227

200 OK

15 kB

URL GET HTTP/2
fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2
IP
216.58.207.227:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
Web Open Font Format (Version 2), TrueType, length 15344, version 1.0
Size
15 kB (15344 bytes)
Hash
5d4aeb4e5f5ef754e307d7ffaef688bd
06db651cdf354c64a7383ea9c77024ef4fb4cef8
3e253b66056519aa065b00a453bac37ac5ed8f3e6fe7b542e93a9dcdcc11d0bc

HTTP Headers

GET /s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.google.com
DNT: 1
Connection: keep-alive
Referer: https://www.google.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
access-control-allow-origin: *
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
timing-allow-origin: *
content-length: 15344
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Fri, 03 May 2024 16:31:04 GMT
expires: Sat, 03 May 2025 16:31:04 GMT
cache-control: public, max-age=31536000
last-modified: Mon, 16 Oct 2017 17:32:55 GMT
content-type: font/woff2
age: 315770
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/33.ae4de0a0.chunk.js

143.204.55.14

24 kB

URL
rc-widget-frame.js.driftt.com/core/assets/js/33.ae4de0a0.chunk.js
IP
143.204.55.14:0
ASN
#16509 AMAZON-02

File type
gzip compressed data, from Unix
Size
24 kB (23874 bytes)
Hash
0ceadece94249dcae6a01ab2a2f188a5
a71edaf4b242f6134d4aa3fa582e4db84f0a12b3
d9f0b7f39ac58f7526764db3e96790ef9bade5ac1070bf04878a170458fc4e73

HTTP Headers

GET /core/assets/js/33.ae4de0a0.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"db0cd5b66c52523e10b87a0c8a2db182"
x-amz-server-side-encryption: AES256
x-amz-version-id: PUG2tPuHbg6UXU15H37d6Lifu.5b8Act
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: bKl0JE-cuyjoYNij2if7w9HalZ2Z4MY3OKnK9V-u6pfLFhTZjLEDtA==
X-Firefox-Spdy: h2

www.gstatic.com/recaptcha/api2/logo_48.png

142.250.74.163

200 OK

2.2 kB

URL GET HTTP/3
www.gstatic.com/recaptcha/api2/logo_48.png
IP
142.250.74.163:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Size
2.2 kB (2228 bytes)
Hash
ef9941290c50cd3866e2ba6b793f010d
4736508c795667dcea21f8d864233031223b7832
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

HTTP Headers

GET /recaptcha/api2/logo_48.png HTTP/1.1
Host: www.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
accept-ranges: bytes
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups; report-to="recaptcha"
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
content-length: 2228
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Fri, 03 May 2024 00:37:29 GMT
expires: Fri, 10 May 2024 00:37:29 GMT
cache-control: public, max-age=604800
last-modified: Tue, 03 Mar 2020 20:15:00 GMT
content-type: image/png
age: 372985
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

rc-widget-frame.js.driftt.com/core/assets/js/22.6b9a301a.chunk.js

143.204.55.14

200 OK

10 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/22.6b9a301a.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
gzip compressed data, from Unix
Size
10 kB (10373 bytes)
Hash
f609e371af5a1ff0693d633162807eeb
530586970a5c3945b29d982ec6375b0f52fe8716
dabdb4460f6efc6bb8cfa4048407fa317dd31783c44e08803b954c67dd62bc87

HTTP Headers

GET /core/assets/js/22.6b9a301a.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:04 GMT
etag: W/"d8739a9fe9a3a42936f5cd86c8727494"
x-amz-server-side-encryption: AES256
x-amz-version-id: 3HD5h0_dxshKSgLaoxolAx3HXOCoWagz
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 21
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: V9do87UMGaeVY9KH25fttjKlM1tyCkxJg_zxGQ6JESBukGgdLLFcsw==
X-Firefox-Spdy: h2

bootstrap.api.drift.com/widget_bootstrap/ping/v2

3.94.218.138

200 OK

208 B

URL POST HTTP/2
bootstrap.api.drift.com/widget_bootstrap/ping/v2
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
208 B (208 bytes)
Hash
45ff0a7146f0e5c3afd17c31c28beeb8
cf4d727bc773dfc82c5e49ec38811c362cb518d7
facf8de270be69de3d2a6fc877d6bbf24baacdeb6f8c5b39a4ac4853bcc096bb

HTTP Headers

POST /widget_bootstrap/ping/v2 HTTP/1.1
Host: bootstrap.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:55 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: 1867e2bcc597c54c
vary: Accept-Encoding
content-length: 208
x-envoy-upstream-service-time: 2
server: istio-envoy
X-Firefox-Spdy: h2

www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css

142.250.74.163

200 OK

25 kB

URL GET HTTP/3
www.gstatic.com/recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css
IP
142.250.74.163:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.gstatic.com
Fingerprint15:DD:05:B3:2F:D8:E3:54:C9:B4:FA:E4:AC:01:ED:C8:E1:EA:A7:AD
ValidityTue, 16 Apr 2024 04:17:07 GMT - Tue, 09 Jul 2024 04:17:06 GMT

File type
ASCII text, with very long lines (56412), with no line terminators
Size
25 kB (24617 bytes)
Hash
2c00b9f417b688224937053cd0c284a5
17b4c18ebc129055dd25f214c3f11e03e9df2d82
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

HTTP Headers

GET /recaptcha/releases/V6_85qpc2Xf2sbe3xTnRte7m/styles__ltr.css HTTP/1.1
Host: www.gstatic.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://www.google.com/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
accept-ranges: bytes
content-encoding: gzip
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin-allow-popups; report-to="recaptcha"
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
content-length: 24617
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Mon, 06 May 2024 15:37:51 GMT
expires: Tue, 06 May 2025 15:37:51 GMT
cache-control: public, max-age=31536000
last-modified: Mon, 22 Apr 2024 21:03:35 GMT
content-type: text/css
vary: Accept-Encoding
age: 59764
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

rc-widget-frame.js.driftt.com/core/assets/css/8.98b34517.chunk.css

143.204.55.14

200 OK

234 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/8.98b34517.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
gzip compressed data, from Unix
Size
234 kB (233486 bytes)
Hash
8bfb31fde1c21350aa3898956bd625db
3b0f58841b8c2687bf82b3452279f6f408cfcfd3
7059d9c4f0dba4fe9187ab1ecb80a35fdb8f7a370daa6437b7038b44d539fc7b

HTTP Headers

GET /core/assets/css/8.98b34517.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
content-type: text/css
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:23 GMT
etag: W/"82429fd1682dcb60e14996ad58a35a4f"
x-amz-server-side-encryption: AES256
x-amz-version-id: iNKtCZtb69S5Xg2ti_W3KaKTIlBxoqLp
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
content-encoding: gzip
x-envoy-upstream-service-time: 22
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: soPi9QSaN_oLrV-56rgJKQaLwAJRh91T2PP19qUE83umL0U0MkN35Q==
X-Firefox-Spdy: h2

www.google.com/recaptcha/api2/webworker.js?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m

142.250.74.132

200 OK

110 B

URL GET HTTP/3
www.google.com/recaptcha/api2/webworker.js?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m
IP
142.250.74.132:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type
ASCII text, with no line terminators
Size
110 B (110 bytes)
Hash
284b36421a1cf446f32cb8f7987b1091
eb14d6298c9da3fb26d75b54c087ea2df9f3f05f
94ab2be973685680d0be9c08d4e1a7465f3c09053cf631126bd33f49cc2f939b

HTTP Headers

GET /recaptcha/api2/webworker.js?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Sec-Fetch-Dest: worker
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/3 200 OK
content-type: text/javascript; charset=utf-8
cross-origin-embedder-policy: require-corp
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
expires: Tue, 07 May 2024 08:13:54 GMT
date: Tue, 07 May 2024 08:13:54 GMT
cache-control: private, max-age=300
content-encoding: gzip
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

metrics.api.drift.com/monitoring/metrics/widget/init/v3

3.94.218.138

200 OK

25 B

URL POST HTTP/2
metrics.api.drift.com/monitoring/metrics/widget/init/v3
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
25 B (25 bytes)
Hash
61228f8f544358e9ea1f463f01b5853c
582766f30c82dc2df6938c8e16455fa5e329afb1
f8c91e009d219173c41b4c0b6e43ad28081f7580df6cb99a76aa0a476390ca47

HTTP Headers

POST /monitoring/metrics/widget/init/v3 HTTP/1.1
Host: metrics.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 549
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:55 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: 3a939f74c16dea36
vary: Accept-Encoding
content-length: 25
x-envoy-upstream-service-time: 13
server: istio-envoy
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%224074%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%224074%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%224074%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:56 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:56 GMT
X-Firefox-Spdy: h2

5092804-4.chat.api.drift.com/ws/websocket?session_token=SFMyNTY.g2gDdAAAAAVkAAJpZG0AAAAVNTA5MjgwNC0yMTgzNDYxNzk3OC00ZAAGb3JnX2lkbQAAAAc1MDkyODA0ZAAJc2NvcGVfc2V0bQAAAARsZWFkZAAHdXNlcl9pZG0AAAALMjE4MzQ2MTc5NzhkAAl1c2VyX3R5cGVkAARsZWFkbgYAAM0dUo8BYgABUYA.c8cmKfodbMUqdtAt1XfF7detoHisMe6lvLtqkEMt_oA&remote_ip=18.232.245.220&vsn=2.0.0

107.22.248.170

0 B

URL
5092804-4.chat.api.drift.com/ws/websocket?session_token=SFMyNTY.g2gDdAAAAAVkAAJpZG0AAAAVNTA5MjgwNC0yMTgzNDYxNzk3OC00ZAAGb3JnX2lkbQAAAAc1MDkyODA0ZAAJc2NvcGVfc2V0bQAAAARsZWFkZAAHdXNlcl9pZG0AAAALMjE4MzQ2MTc5NzhkAAl1c2VyX3R5cGVkAARsZWFkbgYAAM0dUo8BYgABUYA.c8cmKfodbMUqdtAt1XfF7detoHisMe6lvLtqkEMt_oA&remote_ip=18.232.245.220&vsn=2.0.0
IP
107.22.248.170:0
ASN
#14618 AMAZON-AES

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /ws/websocket?session_token=SFMyNTY.g2gDdAAAAAVkAAJpZG0AAAAVNTA5MjgwNC0yMTgzNDYxNzk3OC00ZAAGb3JnX2lkbQAAAAc1MDkyODA0ZAAJc2NvcGVfc2V0bQAAAARsZWFkZAAHdXNlcl9pZG0AAAALMjE4MzQ2MTc5NzhkAAl1c2VyX3R5cGVkAARsZWFkbgYAAM0dUo8BYgABUYA.c8cmKfodbMUqdtAt1XfF7detoHisMe6lvLtqkEMt_oA&remote_ip=18.232.245.220&vsn=2.0.0 HTTP/1.1
Host: 5092804-4.chat.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://rc-widget-frame.js.driftt.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: nGTVdGVcyhIg6zAazQTp4A==
DNT: 1
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
Date: Tue, 07 May 2024 08:13:56 GMT
Connection: upgrade
cache-control: max-age=0, private, must-revalidate
sec-websocket-accept: 05UdUFI1Sva34QPfGDt9T5ltiNA=
server: Cowboy
upgrade: websocket

event.api.drift.com/track

3.94.218.138

200 OK

13 B

URL OPTIONS HTTP/2
event.api.drift.com/track
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
ASCII text, with no line terminators
Size
13 B (13 bytes)
Hash
1424eb76249899d757e4d168341a50dc
42101e71440abd46c8112a96d4d5c0dd445120ce
16f1efa415bfdd7abcf8fdd76cc05ae6fa66ffdfdc730368ecea89ecfe5c3a12

HTTP Headers

OPTIONS /track HTTP/1.1
Host: event.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Referer: https://rc-widget-frame.js.driftt.com/
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:56 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: text/plain
allow: POST,OPTIONS
requestid: drift4abf2fb47218f69d1545afa3c47
content-length: 13
x-envoy-upstream-service-time: 0
server: istio-envoy
X-Firefox-Spdy: h2

event.api.drift.com/track

3.94.218.138

200 OK

583 B

URL OPTIONS HTTP/2
event.api.drift.com/track
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
583 B (583 bytes)
Hash
7c5e7bbd4b87afa63c841087c7944507
08e78274ad019498e65961f49be3a5969c8bd8b8
5b8deb1c2c21cfc02711e1e3026741f4b6cd6facf8678f6d480389bd427a148a

HTTP Headers

POST /track HTTP/1.1
Host: event.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIyMTgzNDYxNzk3OCIsImNsaWVudElkIjoiZjZ6dWl6ZHloeHJtN3IiLCJ1c2VySWRUeXBlIjoiTEVBRCIsInNjb3BlIjoibGVhZCIsImlzcyI6IjUwOTI4MDQiLCJleHAiOjE3NDY2MDU2MzUsImlhdCI6MTcxNTA2OTYzNX0.HBi7_tQWvmGSIg9srF8bwLpLk1K5D9n_niSgyJI7fz1xPTotnY4mq4uvO9zLWO2DTFWeNKyyb87PMgOE42vy-g
Content-Length: 428
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:56 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: 7154c1cc3193b718
content-length: 583
x-envoy-upstream-service-time: 1
server: istio-envoy
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%225075%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%225075%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A56%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%225075%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:57 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:57 GMT
X-Firefox-Spdy: h2

presence.api.drift.com/ws/websocket?session_token=SFMyNTY.g3QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAFTUwOTI4MDQtMjE4MzQ2MTc5NzgtNGQABm9yZ19pZG0AAAAHNTA5MjgwNGQACXNjb3BlX3NldG0AAAAEbGVhZGQAB3VzZXJfaWRtAAAACzIxODM0NjE3OTc4ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAAPNHVKPAQ.kg-kCpkRsACu5QiQ0ILq0oCKO9GFkCFlNEkEUq0O6aA&remote_ip=18.232.245.220&vsn=2.0.0

54.85.240.191

0 B

URL
presence.api.drift.com/ws/websocket?session_token=SFMyNTY.g3QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAFTUwOTI4MDQtMjE4MzQ2MTc5NzgtNGQABm9yZ19pZG0AAAAHNTA5MjgwNGQACXNjb3BlX3NldG0AAAAEbGVhZGQAB3VzZXJfaWRtAAAACzIxODM0NjE3OTc4ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAAPNHVKPAQ.kg-kCpkRsACu5QiQ0ILq0oCKO9GFkCFlNEkEUq0O6aA&remote_ip=18.232.245.220&vsn=2.0.0
IP
54.85.240.191:0
ASN
#14618 AMAZON-AES

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /ws/websocket?session_token=SFMyNTY.g3QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAFTUwOTI4MDQtMjE4MzQ2MTc5NzgtNGQABm9yZ19pZG0AAAAHNTA5MjgwNGQACXNjb3BlX3NldG0AAAAEbGVhZGQAB3VzZXJfaWRtAAAACzIxODM0NjE3OTc4ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAAPNHVKPAQ.kg-kCpkRsACu5QiQ0ILq0oCKO9GFkCFlNEkEUq0O6aA&remote_ip=18.232.245.220&vsn=2.0.0 HTTP/1.1
Host: presence.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://rc-widget-frame.js.driftt.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: mWANSt102yUyjbbRA+Dqkw==
DNT: 1
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
cache-control: max-age=0, private, must-revalidate
connection: Upgrade
date: Tue, 07 May 2024 08:13:56 GMT
sec-websocket-accept: r8C+wEirI07tfZ8m5LlbkS8GH6I=
server: Cowboy
upgrade: websocket

js.driftt.com/deploy/assets/static/fonts/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2

54.230.111.73

200 OK

11 kB

URL GET HTTP/2
js.driftt.com/deploy/assets/static/fonts/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2
IP
54.230.111.73:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
Fingerprint8D:87:63:40:81:FD:69:E6:E5:7B:1B:D8:C5:49:BB:2A:A5:0B:A2:EE
ValidityTue, 15 Aug 2023 00:00:00 GMT - Wed, 11 Sep 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 11028, version 1.0
Size
11 kB (11028 bytes)
Hash
1f6d3cf6d38f25d83d95f5a800b8cac3
279f300ca2cbbdf9f5036ef2f438607fbf377daa
796de064b8d80eba7ccacb8ba67d77fdbcdf4b385c844645d452c24537b3108f

HTTP Headers

GET /deploy/assets/static/fonts/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2 HTTP/1.1
Host: js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: binary/octet-stream,font/woff2
content-length: 11028
server: istio-envoy
date: Sun, 31 Mar 2024 17:38:25 GMT
last-modified: Fri, 03 Mar 2023 19:55:17 GMT
etag: "1f6d3cf6d38f25d83d95f5a800b8cac3"
x-amz-server-side-encryption: AES256
accept-ranges: bytes
cache-control: max-age=31536000
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 52
x-cache: Hit from cloudfront
via: 1.1 6a0f63864791329e89a4b233ec4c3a36.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: KIswpFh8_3Of-3DUK9Wurd-yDiqrhofqhX6l9og5mHXewm-ZKHzFjg==
age: 3162932
X-Firefox-Spdy: h2

js.driftt.com/deploy/assets/static/fonts/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2

54.230.111.73

11 kB

URL
js.driftt.com/deploy/assets/static/fonts/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2
IP
54.230.111.73:0
ASN
#16509 AMAZON-02

Certificate
IssuerAmazon
Subjectdrift.com
Fingerprint8D:87:63:40:81:FD:69:E6:E5:7B:1B:D8:C5:49:BB:2A:A5:0B:A2:EE
ValidityTue, 15 Aug 2023 00:00:00 GMT - Wed, 11 Sep 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 11040, version 1.0
Size
11 kB (11040 bytes)
Hash
5e22a46c04d947a36ea0cad07afcc9e1
6091d981c2a4ee975c7f6b56186ee698040bb804
0f53e8b0a717ca4ce313eec62b90d41db62c2f4946259a65c93bf8e84c5b0c44

HTTP Headers

GET /deploy/assets/static/fonts/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2 HTTP/1.1
Host: js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: binary/octet-stream,font/woff2
content-length: 11040
server: istio-envoy
date: Thu, 25 Apr 2024 01:42:17 GMT
last-modified: Fri, 03 Mar 2023 14:31:39 GMT
etag: "5e22a46c04d947a36ea0cad07afcc9e1"
x-amz-server-side-encryption: AES256
accept-ranges: bytes
cache-control: max-age=31536000
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
x-envoy-upstream-service-time: 52
x-cache: Hit from cloudfront
via: 1.1 6a0f63864791329e89a4b233ec4c3a36.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: AALEH-dFY-3G35Wnov5acEzY_NI6Avxz8UAQEVCXvW9r2S1obyCttQ==
age: 1060300
X-Firefox-Spdy: h2

metrics.api.drift.com/monitoring/metrics/event3/bulk

3.94.218.138

200 OK

25 B

URL POST HTTP/2
metrics.api.drift.com/monitoring/metrics/event3/bulk
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
25 B (25 bytes)
Hash
61228f8f544358e9ea1f463f01b5853c
582766f30c82dc2df6938c8e16455fa5e329afb1
f8c91e009d219173c41b4c0b6e43ad28081f7580df6cb99a76aa0a476390ca47

HTTP Headers

POST /monitoring/metrics/event3/bulk HTTP/1.1
Host: metrics.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 996
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:57 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: fdc27fa8f44a92f1
vary: Accept-Encoding
content-length: 25
x-envoy-upstream-service-time: 12
server: istio-envoy
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%226076%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%226076%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A57%20GMT%22%2C%22timeSpent%22%3A%221001%22%2C%22totalTimeSpent%22%3A%226076%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "5e502810-2b"
last-modified: Fri, 21 Feb 2020 18:57:20 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:58 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:58 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22timeSpent%22%3A%221004%22%2C%22totalTimeSpent%22%3A%227080%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22timeSpent%22%3A%221004%22%2C%22totalTimeSpent%22%3A%227080%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A58%20GMT%22%2C%22timeSpent%22%3A%221004%22%2C%22totalTimeSpent%22%3A%227080%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "615ccf10-2b"
last-modified: Tue, 05 Oct 2021 22:17:52 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:59 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:59 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%228083%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%228083%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A59%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%228083%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:00 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:00 GMT
X-Firefox-Spdy: h2

metrics.api.drift.com/monitoring/metrics/add/bulk/v2

3.94.218.138

200 OK

25 B

URL POST HTTP/2
metrics.api.drift.com/monitoring/metrics/add/bulk/v2
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
25 B (25 bytes)
Hash
61228f8f544358e9ea1f463f01b5853c
582766f30c82dc2df6938c8e16455fa5e329afb1
f8c91e009d219173c41b4c0b6e43ad28081f7580df6cb99a76aa0a476390ca47

HTTP Headers

POST /monitoring/metrics/add/bulk/v2 HTTP/1.1
Host: metrics.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 869
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
date: Tue, 07 May 2024 08:14:00 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: 27a331ab008dee27
vary: Accept-Encoding
content-length: 25
x-envoy-upstream-service-time: 0
server: istio-envoy
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%229086%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%229086%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A00%20GMT%22%2C%22timeSpent%22%3A%221003%22%2C%22totalTimeSpent%22%3A%229086%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f020a0-2b"
last-modified: Sat, 18 Feb 2023 00:49:36 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:01 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:01 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%2210088%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%2210088%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A01%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%2210088%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "5e502810-2b"
last-modified: Fri, 21 Feb 2020 18:57:20 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:02 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:02 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2213091%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2213091%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A02%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2213091%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "5e502810-2b"
last-modified: Fri, 21 Feb 2020 18:57:20 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:05 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:05 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2216093%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2216093%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A05%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2216093%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:08 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:08 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2219096%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2219096%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A08%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2219096%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "60bb2e15-2b"
last-modified: Sat, 05 Jun 2021 07:56:05 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:11 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:11 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2222099%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2222099%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A11%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2222099%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "60bb2e15-2b"
last-modified: Sat, 05 Jun 2021 07:56:05 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:14 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:14 GMT
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2225102%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2225102%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A14%20GMT%22%2C%22timeSpent%22%3A%223003%22%2C%22totalTimeSpent%22%3A%2225102%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "615ccf10-2b"
last-modified: Tue, 05 Oct 2021 22:17:52 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:17 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:17 GMT
X-Firefox-Spdy: h2

location.services.mozilla.com/v1/country?key=no-mozilla-api-key

44.240.56.209

48 B

URL
location.services.mozilla.com/v1/country?key=no-mozilla-api-key
IP
44.240.56.209:0
ASN
#16509 AMAZON-02

File type
JSON text data
Size
48 B (48 bytes)
Hash
94bc553225a6cddab963f4053273b388
57ffc8bd333dfe0bf3a05a5945ee15f9c15b0672
977bc9f6239939e6e0a2682325098f1bf0109e1450f040536670acf0f8798cb6

HTTP Headers

GET /v1/country?key=no-mozilla-api-key HTTP/1.1
Host: location.services.mozilla.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 2592000
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'none'; report-uri /__cspreport__
Content-Type: application/json
Date: Tue, 07 May 2024 08:14:17 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 48
Connection: keep-alive

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A20%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2228104%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

43 B

URL
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A20%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2228104%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:0
ASN
#20940 Akamai International B.V.

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A20%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A14%3A17%20GMT%22%2C%22timeSpent%22%3A%223002%22%2C%22totalTimeSpent%22%3A%2228104%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "615ccf10-2b"
last-modified: Tue, 05 Oct 2021 22:17:52 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:14:20 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:14:20 GMT
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/24.24e43c3b.chunk.js

143.204.55.14

200 OK

51 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/24.24e43c3b.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (51340), with no line terminators
Size
51 kB (51340 bytes)
Hash
390d4b78f4c738295b7974aca941d031
9d5fc5e50d9c16cc2223acefeaba36df18aab90a
eb6ce397310855bbef74043afcdda989653ad7b7b385191e8c8d622eee74b367

HTTP Headers

GET /core/assets/js/24.24e43c3b.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"390d4b78f4c738295b7974aca941d031"
x-amz-server-side-encryption: AES256
x-amz-version-id: J3Ynz_VL_Xe.kEj4VqPxsio5dIqXBI10
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 20
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: x721bAG4d3vT9_85QJTzur9m-g_VHeigzlW11NprviyScSHvlv2nmw==
X-Firefox-Spdy: h2

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22storeTagId%5C%22%2C%5C%22value%5C%22%3A%5C%22e666a54d-ff29-48f9-9baa-2be6ac05412e%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22959%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=s_update&q=%7B%22settings%22%3A%22%5B%7B%5C%22name%5C%22%3A%5C%22storeTagId%5C%22%2C%5C%22value%5C%22%3A%5C%22e666a54d-ff29-48f9-9baa-2be6ac05412e%5C%22%2C%5C%22dateTime%5C%22%3A%5C%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%5C%22%2C%5C%22timeSincePageLoad%5C%22%3A%5C%22959%5C%22%7D%5D%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "5e502810-2b"
last-modified: Fri, 21 Feb 2020 18:57:20 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:53 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/14.e24a6190.chunk.js

143.204.55.14

200 OK

93 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/14.e24a6190.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
93 kB (92674 bytes)
Hash
16d7ae86e21434a32157d3226ac9bb77
6eaa4577efa2568aa7752b00aa42523bda14ca95
6c9c6406c9bd9814cf84974221433003377b67f071ec5411fddbcba4ec109bca

HTTP Headers

GET /core/assets/js/14.e24a6190.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:03 GMT
etag: W/"16d7ae86e21434a32157d3226ac9bb77"
x-amz-server-side-encryption: AES256
x-amz-version-id: MSOO4CzPmDMXrMMjXgn_wCL8w0zwR918
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 22
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: KkOETlabwOla4b0TpesDBd88dNhENBp1113DfkGEwfR6wphOtaj-Ww==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/3.bbe0e1fa.chunk.js

143.204.55.14

200 OK

24 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/3.bbe0e1fa.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (24548), with no line terminators
Size
24 kB (24548 bytes)
Hash
b394f9cf6fe473cdb6852b332234aa52
0fbb71e9d746bfe0f3edf4329231e8b2573e664c
ba3035c1cbfbd4ebb878f85acde3d846c6e9e90081de78ddcaf3126b4e8823b0

HTTP Headers

GET /core/assets/js/3.bbe0e1fa.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"b394f9cf6fe473cdb6852b332234aa52"
x-amz-server-side-encryption: AES256
x-amz-version-id: pHxDHN0IINa0RNuxMPvQ8pBn4Eg1GWSc
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: fHwxzHqLIGU-tM4unn0iZiOjV1WxyyjocdGFDwHLaFebEzNUb-aHcw==
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%223072%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%223072%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=active_time_track&q=%7B%22currentTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A55%20GMT%22%2C%22lastTrackTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A54%20GMT%22%2C%22timeSpent%22%3A%221002%22%2C%22totalTimeSpent%22%3A%223072%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&an_uid=-1&webTagId=e666a54d-ff29-48f9-9baa-2be6ac05412e&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f02dad-2b"
last-modified: Sat, 18 Feb 2023 01:45:17 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:55 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:55 GMT
X-Firefox-Spdy: h2

hubspotonwebflow.com/api/forms/blockList?id=92048dff-ffdc-421f-9344-58c3ff0002d9

76.76.21.61

200 OK

47 B

URL GET HTTP/2
hubspotonwebflow.com/api/forms/blockList?id=92048dff-ffdc-421f-9344-58c3ff0002d9
IP
76.76.21.61:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthubspotonwebflow.com
Fingerprint38:B7:60:3C:B5:3B:2D:6B:25:E2:90:D9:F1:41:B8:F8:2F:AF:6A:BE
ValidityMon, 06 May 2024 22:48:06 GMT - Sun, 04 Aug 2024 22:48:05 GMT

File type
troff or preprocessor input, ASCII text, with no line terminators
Size
47 B (47 bytes)
Hash
92b0ac52eb3a4a3a7aa65224abcf9105
559923772a67b0808357cbafad1c4b85f1fbb637
8d57e2de20c17fd1d44666ee75ea22ba15abd3c5127812b84e8179911bb52261

HTTP Headers

GET /api/forms/blockList?id=92048dff-ffdc-421f-9344-58c3ff0002d9 HTTP/1.1
Host: hubspotonwebflow.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: *
age: 0
cache-control: public, max-age=0, must-revalidate
content-encoding: br
content-type: application/json
date: Tue, 07 May 2024 08:13:55 GMT
server: Vercel
strict-transport-security: max-age=63072000
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch
x-matched-path: /api/forms/blockList
x-vercel-cache: MISS
x-vercel-execution-region: iad1
x-vercel-id: arn1::iad1::s8zjv-1715069634943-2f72f54dfcd9
X-Firefox-Spdy: h2

www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve

142.250.74.132

200 OK

45 kB

URL GET HTTP/3
www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
IP
142.250.74.132:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type
HTML document, ASCII text, with very long lines (36644)
Size
45 kB (45349 bytes)
Hash
9a9c9ef8f8b8c321760190955c64075d
24bc0e18ddc777001714686d5f7c467153554d7b
328a2113509e590510b73dd2f4c5395bd4d9eb7fbebe540b857a28fa8ea6ac6c

HTTP Headers

GET /recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 200 OK
content-type: text/html; charset=utf-8
cross-origin-resource-policy: cross-origin
cross-origin-embedder-policy: require-corp
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 07 May 2024 08:13:54 GMT
content-security-policy: script-src 'nonce-SoUiSceimqFLqmFdH9O2CQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware

143.204.55.14

200 OK

1.5 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
HTML document, ASCII text, with very long lines (1636), with no line terminators
Size
1.5 kB (1546 bytes)
Hash
7b235b5a3e624982a6048e922a32f706
39598a436aa9eec7600833e7de8622c3044ffe79
4f5950cbfc2168a841ac08a4d8d1d49dade51645b594ccc254c8b2029e9cf24a

HTTP Headers

GET /core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/html
server: istio-envoy
last-modified: Mon, 21 Aug 2023 14:57:03 GMT
x-amz-server-side-encryption: AES256
x-amz-version-id: hIxJdEPbt_45OV8bTT9Ad1M7VE.ABA8G
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
content-encoding: gzip
x-envoy-upstream-service-time: 22
date: Tue, 07 May 2024 08:13:52 GMT
cache-control: no-cache
etag: W/"6a5cea74d414ec151635bd2880abb1c3"
vary: Accept-Encoding
x-cache: RefreshHit from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: XVeyfe3L_cXBpzZly_kb0vmrjP2SDwT_0RWWHhN678DvfozuowppmQ==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/25.915ff314.chunk.js

143.204.55.14

200 OK

48 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/25.915ff314.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (48053), with no line terminators
Size
48 kB (48053 bytes)
Hash
12bceaba2da6c30ab2a0aacbde681b0c
4460ae72fb30b1319ed6b37880b4a42ac80ce819
e5149bac0cdad7bbd9d1b7badb88909929d324ee90b6dd1628e0c59024d68e7c

HTTP Headers

GET /core/assets/js/25.915ff314.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"12bceaba2da6c30ab2a0aacbde681b0c"
x-amz-server-side-encryption: AES256
x-amz-version-id: qod1m4nnLfUgaMaxljkZuFfY2SywXHfx
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 16
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: KJHVne08srUSt5i5XCvtIcBNriVqld3O98dbPLG1Z53UyupdATN-oQ==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/16.890a0911.chunk.js

143.204.55.14

200 OK

94 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/16.890a0911.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
94 kB (93589 bytes)
Hash
52b055a08e59141b8f7b7947c7d7ab69
d7b5044f24cb8297e8369206024f747484a6c2a2
860c659e8836feb6a6b4fc4c9b7195e4ab0a04e4642473c0780ae554fbf6ffb2

HTTP Headers

GET /core/assets/js/16.890a0911.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"52b055a08e59141b8f7b7947c7d7ab69"
x-amz-server-side-encryption: AES256
x-amz-version-id: 2cJi_0AtsucvWstmkbj3mO1t8SiuDMru
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 19
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: siGLJ3yNRp_HsJiDuijIISqhgT6i6MdCJIvmrvw9a2y69cRAWF3g9A==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/17.413337a8.chunk.js

143.204.55.14

200 OK

41 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/17.413337a8.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (41159), with no line terminators
Size
41 kB (41159 bytes)
Hash
4aea30e551ee7f04a564c0408c291306
8a11672b20991e181c119bcf712fd8337cb8358c
10b977a814bd9ca3e018a07b6e1197c9a9fa89a27a2419158d22f41ab8a29508

HTTP Headers

GET /core/assets/js/17.413337a8.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"4aea30e551ee7f04a564c0408c291306"
x-amz-server-side-encryption: AES256
x-amz-version-id: Ud1ylpzTdwt3qfnkRXUYob2T_ovQMI1N
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 20
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: Q5kCXQ3IWLbqYWFmVYOFRVSpRJmhWN84ebWJXbJH2Rji6nd8OmcG0w==
X-Firefox-Spdy: h2

assets-global.website-files.com/655ddcc107aef728354e9c2a/655ddcc107aef728354e9cbf_Huntress-logo.svg

3.164.240.122

200 OK

17 kB

URL GET HTTP/2
assets-global.website-files.com/655ddcc107aef728354e9c2a/655ddcc107aef728354e9cbf_Huntress-logo.svg
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
17 kB (16869 bytes)
Hash
1b58a7f9d25209475f7150623a7b9993
3ace170a8e9949577fe3f7c37f6b54b2c0038b7f
3e74699ee2810c89e5df5bd0d0506256c46f1e73108f40dc993b49cc210203db

HTTP Headers

GET /655ddcc107aef728354e9c2a/655ddcc107aef728354e9cbf_Huntress-logo.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: image/svg+xml
date: Mon, 15 Jan 2024 08:44:23 GMT
last-modified: Wed, 22 Nov 2023 10:49:38 GMT
etag: W/"1b58a7f9d25209475f7150623a7b9993"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: ll9DT5jxvCo6dqqJTOhzWIKk94gBwQHc
server: AmazonS3
content-encoding: br
vary: Accept-Encoding
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 9761370
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: Q9oRDCI4GxwUTHtNnT5tKBFBrG7CwksQMcssd0TNZKHLM2cGXrIwlg==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/css/35.3cdf48ae.chunk.css

143.204.55.14

200 OK

16 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/35.3cdf48ae.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with very long lines (16509), with no line terminators
Size
16 kB (16509 bytes)
Hash
ac16e52f547ce8f3de32d9d7d591c2c0
68cfe24a85b3c242e200879bc57b17ce972af3bd
1650436b42349eba90400162f9104f8abd0e8b846cf91d26c907c300dd8d7f85

HTTP Headers

GET /core/assets/css/35.3cdf48ae.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:23 GMT
etag: W/"ac16e52f547ce8f3de32d9d7d591c2c0"
x-amz-server-side-encryption: AES256
x-amz-version-id: V1yopT2bXZUj.CNczvGqS7_vfWAIiP2A
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
content-encoding: gzip
x-envoy-upstream-service-time: 19
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: 2DkjbQiDTlzrVIYTXVfsMPTggpHdRRfV4lchOfOZLXyvFWaSg9JpaA==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/9.4a3e9801.chunk.js

143.204.55.14

200 OK

36 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/9.4a3e9801.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (35552), with no line terminators
Size
36 kB (35552 bytes)
Hash
c6f58dd3d60f07462254b842dd4f9ca1
62c507fc6cc05f9732bcd5c593f3d8d0e0a3d7e2
2a8a441d8086f20a64563edc759aba1de84d932e34ff77b8bb0279a730cdb428

HTTP Headers

GET /core/assets/js/9.4a3e9801.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:05 GMT
etag: W/"c6f58dd3d60f07462254b842dd4f9ca1"
x-amz-server-side-encryption: AES256
x-amz-version-id: o_HxdNhY.AuRUWdVl_PNLVH4Bm_dc6QU
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 15
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: CXHca-NO_T6xmWFoNC8WnZlR3sY1QFQ_2yZKLsqR92ECTIUthymrDw==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/20.8c21ea18.chunk.js

143.204.55.14

200 OK

76 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/20.8c21ea18.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
76 kB (75961 bytes)
Hash
6d77a76055d81227033363af2f18caf8
b1b94517954f8f8889a0822886dea6f5ad7c931f
19473eebfb0672867a4438e2a015de79fded34b9f5ae5598bade57eb01cf0563

HTTP Headers

GET /core/assets/js/20.8c21ea18.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:04 GMT
etag: W/"6d77a76055d81227033363af2f18caf8"
x-amz-server-side-encryption: AES256
x-amz-version-id: a1FK3UiYz4Hx_bwhsLGFppeiYk6BxYHJ
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 25
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: aAF92Af3TWpOztZm1tGVY8fiLGL3FrwCM-LgKQ8a2r19WQgrId9DIw==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/18.9c1bd1fb.chunk.js

143.204.55.14

200 OK

64 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/18.9c1bd1fb.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (63529), with no line terminators
Size
64 kB (63529 bytes)
Hash
02f09379c544befa413d22eb57ed41de
156ff3fbf28d890eb0f79754e436ac3a66b3de24
e555f4b34b579e6528d6bbd4819620a634c0759b41dfa99520b7ca5aa5117b11

HTTP Headers

GET /core/assets/js/18.9c1bd1fb.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:04 GMT
etag: W/"02f09379c544befa413d22eb57ed41de"
x-amz-server-side-encryption: AES256
x-amz-version-id: 7sz9cdggYq7jKF7xTKydG4KJquVrsP5m
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: 59M3JGe-8wv0uFeAxDtEaoeH6Ydg0cakhUlGeEUUaBuJaCzL51u9IA==
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296927_hknova-semibold-webfont.woff2

143.204.55.45

200 OK

18 kB

URL GET HTTP/2
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296927_hknova-semibold-webfont.woff2
IP
143.204.55.45:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
Web Open Font Format (Version 2), TrueType, length 18124, version 1.0
Size
18 kB (18124 bytes)
Hash
b62b51b8a8a1c83c200a484a4149c151
a044fab160a6a50634bd7bcf12843eac7fcfb821
ace449f8c185f9f62716fd9998c8f4d09f6849ead77ec8c3849aa69f4c8c1d36

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296927_hknova-semibold-webfont.woff2 HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/octet-stream
content-length: 18124
date: Mon, 12 Feb 2024 22:57:28 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:20 GMT
etag: "b62b51b8a8a1c83c200a484a4149c151"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: SgNlIeK2CMt3IfgkJzcYPm6BQJFO8VdG
accept-ranges: bytes
server: AmazonS3
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 7290984
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: i8Fb2tIWS4lKG8yuCE7P4AamfSJ60_RmerC-_UhJml2HsNOIBDdhiQ==
X-Firefox-Spdy: h2

assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6e_DMSans_24pt-Bold.ttf

143.204.55.45

200 OK

56 kB

URL GET HTTP/2
assets.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6e_DMSans_24pt-Bold.ttf
IP
143.204.55.45:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
TrueType Font data, 16 tables, 1st "GDEF", 44 names, Microsoft, language 0x409
Size
56 kB (56344 bytes)
Hash
541d84af93ed55a92a75644198c26ca5
882e215b190437942dfeb921d8e693c0715bb255
0020be3f1555293342637940e02d32e0f0c3b1951f6a274c00a6e3afe91610d1

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a6e_DMSans_24pt-Bold.ttf HTTP/1.1
Host: assets.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/x-font-ttf
date: Thu, 28 Dec 2023 15:55:33 GMT
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
access-control-max-age: 3000
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: W/"541d84af93ed55a92a75644198c26ca5"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: quM.7z1k_e9xiPUszqLumStS9j4JLmMp
server: AmazonS3
content-encoding: br
vary: Accept-Encoding
via: 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront)
age: 11290699
x-cache: Hit from cloudfront
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: ExIJe-A3p3xv9CmTDWUNvCYlhH0aCyzjgVusSsskNi10f0GbNPoElQ==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/8.5fdda827.chunk.js

143.204.55.14

200 OK

83 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/8.5fdda827.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
83 kB (82845 bytes)
Hash
f78079aaffe016efb8ec35b9fbb9f42f
4317f808cbf21ce975a0006c6590f5df07ea4d97
e523f47c65c171a685ca8f1bb0c0c432f4d71104fa56e8f6163126ec908cc430

HTTP Headers

GET /core/assets/js/8.5fdda827.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:26 GMT
etag: W/"f78079aaffe016efb8ec35b9fbb9f42f"
x-amz-server-side-encryption: AES256
x-amz-version-id: s5Gs7OuwDj2F26kpSyydH_032jxZE3YX
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 22
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: r0-TqQxBp4YDlQL82ySCHCz-bzqO5ljLUL9hDU4u5Zs5l3W16u9QQA==
X-Firefox-Spdy: h2

tracking.g2crowd.com/attribution_tracking/conversions/1006267.js?p=https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware&e=

104.18.43.31

200 OK

958 B

URL GET HTTP/2
tracking.g2crowd.com/attribution_tracking/conversions/1006267.js?p=https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware&e=
IP
104.18.43.31:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerCloudflare, Inc.
Subjectsni.cloudflaressl.com
Fingerprint58:6C:CC:72:DD:68:AC:24:54:39:71:63:4C:44:B9:50:83:2C:0E:9B
ValidityMon, 24 Jul 2023 00:00:00 GMT - Tue, 23 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (990), with no line terminators
Size
958 B (958 bytes)
Hash
2c6668ad3525679b40234eba8fab38e7
f85edd65af630995a4c56ab0c5df3aca5bd3e4a9
94893152c509bc4224e3c7940fa4ac3da8b0251d3c320a1f5e7867399bb9897c

HTTP Headers

GET /attribution_tracking/conversions/1006267.js?p=https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware&e= HTTP/1.1
Host: tracking.g2crowd.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: text/javascript; charset=utf-8
cache-control: max-age=600, public
etag: W/"14c59924cdca7796d9578872e6933998"
x-request-id: 71e63c34-0123-4377-b2dc-30be12a3d67d
x-runtime: 0.007090
strict-transport-security: max-age=604800
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
content-security-policy: default-src 'self' *.g2crowd.com *.g2.com; connect-src 'self' *.g2crowd.com *.g2.com; font-src 'self' *.g2crowd.com *.g2.com; form-action 'self' *.g2crowd.com *.g2.com; frame-src 'self' *.g2crowd.com *.g2.com; img-src 'self' *.g2crowd.com *.g2.com; manifest-src 'self' *.g2crowd.com *.g2.com; media-src 'self' *.g2crowd.com *.g2.com; object-src 'self' *.g2crowd.com *.g2.com; script-src 'self' *.g2crowd.com *.g2.com; style-src 'self' *.g2crowd.com *.g2.com; worker-src 'self' *.g2crowd.com *.g2.com
vary: Origin
cf-cache-status: DYNAMIC
set-cookie: _session_id=2e340e290a6a0f042ebc8b91412de44d; path=/; expires=Tue, 21 May 2024 08:13:52 GMT; HttpOnly; secure; SameSite=None
__cf_bm=86mLMFaguq6H9BH1QDH1pkDLfbNaHhD6fGM3SW7c9zU-1715069632-1.0.1.1-rpOe_Ozh_on3sd2iyCpb_1FEfMEVv1GFFvFAFO411tvLiLWXCwz_LrB9vJdU11kPjJJlzNAl4dYAXtu50usMoA; path=/; expires=Tue, 07-May-24 08:43:52 GMT; domain=.g2crowd.com; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 87ffc0d39b63b4fd-OSL
content-encoding: br
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/27.3951aad8.chunk.js

143.204.55.14

200 OK

68 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/27.3951aad8.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65536), with no line terminators
Size
68 kB (68076 bytes)
Hash
5b2b6d0508fe18c3efb6bcd6249fd4e1
90c9faf7b629842a0f3a7633bc5713d741c46578
e8e658c81a7ff92a6e0f9049ee3a8fc42082e8303abb6ed44c73361259cbdbae

HTTP Headers

GET /core/assets/js/27.3951aad8.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Sat, 02 Sep 2023 21:37:07 GMT
etag: W/"5b2b6d0508fe18c3efb6bcd6249fd4e1"
x-amz-server-side-encryption: AES256
x-amz-version-id: PLRwkxTy0W_1o8rwzVQG6XR9UyxAvjNh
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: Hzqq8ybT0nXeG1asPs1xGOxJ_8zs0ZduJFAayZile4d-WiXzYd2MSA==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/21.b8c41db9.chunk.js

143.204.55.14

200 OK

17 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/21.b8c41db9.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (17003), with no line terminators
Size
17 kB (17003 bytes)
Hash
65e5c965272e021ae33ff8bc39565ef5
c5a2c0cdf9c821b6ee43a1eeb52680ffeea15557
b84595cc8461bb6e8376fe94f0dd23d6657172103b03653534089c5992b058a1

HTTP Headers

GET /core/assets/js/21.b8c41db9.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:04 GMT
etag: W/"65e5c965272e021ae33ff8bc39565ef5"
x-amz-server-side-encryption: AES256
x-amz-version-id: ji17FJEqDE74ztAsEDdWlZiRc9r_AyZJ
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 22
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: rbF17DpiBlHy74TixDTb9vCnp1HQ4S0ns45U0pXN5V5EcJtjvY4oWw==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/40.31ef8dbf.chunk.js

143.204.55.14

200 OK

12 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/40.31ef8dbf.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (11808), with no line terminators
Size
12 kB (11808 bytes)
Hash
b0793fa46e8c0ae1846b7be8a833da35
5c97555ff1e0b97829e7f1d054b44f6c55b5ae97
bba54915db71fc417be4d5852ec7d138d7c3fa90356ddee98b5267a7db7e6b5b

HTTP Headers

GET /core/assets/js/40.31ef8dbf.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Tue, 19 Mar 2024 17:28:54 GMT
etag: W/"b0793fa46e8c0ae1846b7be8a833da35"
x-amz-server-side-encryption: AES256
x-amz-version-id: 2x2HYHfsdFgLd3j1V3M6isFgLxEJGAUP
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 20
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: sUXuL-omfAaQrtHNYp481o4XIEr7k24mTG4lrq1nitVZTiW5yWJvZQ==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/css/26.5208cc6b.chunk.css

143.204.55.14

200 OK

11 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/26.5208cc6b.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with very long lines (11317), with no line terminators
Size
11 kB (11317 bytes)
Hash
0842e637a23acc114afbb6195c984564
8a773893138ff633092829a20a0b03806370f482
0591af742c10a8ad2020502cccbf97cb4fc1cfc48acaf588043d70e77b2c3aaf

HTTP Headers

GET /core/assets/css/26.5208cc6b.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:23 GMT
etag: W/"0842e637a23acc114afbb6195c984564"
x-amz-server-side-encryption: AES256
x-amz-version-id: SrCjVsE3413g5wEL9F8CX8IFIQaqzFVz
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
content-encoding: gzip
x-envoy-upstream-service-time: 22
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: 9SICClNcUklt2oInpiBbia4kfUgiLSFj3I0kNnSeab6X9wuuqwgDAQ==
X-Firefox-Spdy: h2

api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_133060

44.218.103.148

200 OK

62 B

URL GET HTTP/2
api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_133060
IP
44.218.103.148:443
ASN
#14618 AMAZON-AES

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectneverbounce.com
FingerprintAA:14:38:26:16:0D:C2:06:23:FA:67:31:6D:06:B4:73:35:3A:18:67
ValidityMon, 29 Jan 2024 00:00:00 GMT - Tue, 25 Feb 2025 23:59:59 GMT

File type
ASCII text, with no line terminators
Size
62 B (62 bytes)
Hash
b22d8bc630e282b3cb3dee9627f5d617
5b300b824a1f934316812e49dcd0f176b17072e1
a378be8236c99567bae4454df49d328bb2a3c2b2e1b0d3c1663f9aacb8ed9212

HTTP Headers

GET /v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_133060 HTTP/1.1
Host: api.neverbounce.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:53 GMT
content-type: application/javascript
server: nginx
vary: Accept-Encoding
cache-control: no-cache, private
x-ua-compatible: IE=Edge
strict-transport-security: max-age=31536000; includeSubDomains
content-encoding: gzip
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/26.69219246.chunk.js

143.204.55.14

200 OK

16 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/26.69219246.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (16190), with no line terminators
Size
16 kB (16190 bytes)
Hash
c41c7243f45ea540e99a3256f4942432
4a6ca42e84579ccf2be93cdf1f695cab9e845789
d674a115404e8d29a650437584421bd9d7ec57c4d43fe3e0a09adc080d521c44

HTTP Headers

GET /core/assets/js/26.69219246.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"c41c7243f45ea540e99a3256f4942432"
x-amz-server-side-encryption: AES256
x-amz-version-id: xHgUeRJlJNXFuOCOFJ6VHVB_xDcgAWBV
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 17
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: g9Wb0dKWf_mErYVokZii2LUeYPGj3vR4zlYMfKfuqt43ozywOtLR3Q==
X-Firefox-Spdy: h2

107.22.248.170

101 Switching Protocols

0 B

URL GET HTTP/1.1
5092804-4.chat.api.drift.com/ws/websocket?session_token=SFMyNTY.g2gDdAAAAAVkAAJpZG0AAAAVNTA5MjgwNC0yMTgzNDYxNzk3OC00ZAAGb3JnX2lkbQAAAAc1MDkyODA0ZAAJc2NvcGVfc2V0bQAAAARsZWFkZAAHdXNlcl9pZG0AAAALMjE4MzQ2MTc5NzhkAAl1c2VyX3R5cGVkAARsZWFkbgYAAM0dUo8BYgABUYA.c8cmKfodbMUqdtAt1XfF7detoHisMe6lvLtqkEMt_oA&remote_ip=18.232.245.220&vsn=2.0.0
IP
107.22.248.170:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectwschat.api.drift.com
Fingerprint92:80:84:E9:D1:51:EC:08:3C:05:7D:7B:E6:2A:F5:75:C2:A9:0C:A8
ValidityFri, 15 Dec 2023 00:00:00 GMT - Sun, 12 Jan 2025 23:59:59 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /ws/websocket?session_token=SFMyNTY.g2gDdAAAAAVkAAJpZG0AAAAVNTA5MjgwNC0yMTgzNDYxNzk3OC00ZAAGb3JnX2lkbQAAAAc1MDkyODA0ZAAJc2NvcGVfc2V0bQAAAARsZWFkZAAHdXNlcl9pZG0AAAALMjE4MzQ2MTc5NzhkAAl1c2VyX3R5cGVkAARsZWFkbgYAAM0dUo8BYgABUYA.c8cmKfodbMUqdtAt1XfF7detoHisMe6lvLtqkEMt_oA&remote_ip=18.232.245.220&vsn=2.0.0 HTTP/1.1
Host: 5092804-4.chat.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://rc-widget-frame.js.driftt.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: nGTVdGVcyhIg6zAazQTp4A==
DNT: 1
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
Date: Tue, 07 May 2024 08:13:56 GMT
Connection: upgrade
cache-control: max-age=0, private, must-revalidate
sec-websocket-accept: 05UdUFI1Sva34QPfGDt9T5ltiNA=
server: Cowboy
upgrade: websocket

trk.techtarget.com/tracking.js

104.18.36.196

200 OK

2.9 kB

URL GET HTTP/2
trk.techtarget.com/tracking.js
IP
104.18.36.196:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerCloudflare, Inc.
Subjectsni.cloudflaressl.com
FingerprintA5:AE:9E:D5:DF:67:36:BA:09:0D:7C:69:24:DB:25:06:70:06:84:D7
ValiditySun, 25 Jun 2023 00:00:00 GMT - Mon, 24 Jun 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (3040), with no line terminators
Size
2.9 kB (2932 bytes)
Hash
141a883094e82499dba46240f81dbff9
9110c7f228e3e6570c7f3d8af15709f8a12e040c
54e6e06df886143006a0fcf227a96e59c5f4b397d12454fcd405066b17584886

HTTP Headers

GET /tracking.js HTTP/1.1
Host: trk.techtarget.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: text/javascript
cf-bgj: minify
cache-control: public, max-age=1200
expires: Tue, 07 May 2024 08:33:52 GMT
last-modified: Tue, 13 Dec 2022 15:01:39 GMT
via: 1.1 google
cf-cache-status: HIT
age: 57247
set-cookie: __cf_bm=vRMMpCpglV1vOUiQgfY3lYJHjVO3uC4eBYcIlm9sL8k-1715069632-1.0.1.1-uCUREnv6R0SWO2p.GW1Sg5mnHTPwMAE8B6NNgM2g9L.FLoREeskw0BDUOzaBUJejOSuVlUVWwZKrkFVV0sC6iw; path=/; expires=Tue, 07-May-24 08:43:52 GMT; domain=.techtarget.com; HttpOnly; Secure; SameSite=None
vary: Accept-Encoding
strict-transport-security: max-age=0; includeSubDomains; preload
server: cloudflare
cf-ray: 87ffc0d3ddf40b55-OSL
content-encoding: br
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/57.28dde8ce.chunk.js

143.204.55.14

200 OK

19 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/57.28dde8ce.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with very long lines (18944), with no line terminators
Size
19 kB (18944 bytes)
Hash
3c4cd13822c0069a68e9f9c8240f5ba9
7028af5e8a39579afd06e0b945389608e5adc042
594d3ade307f6f48a5ef5143228b9da7c4e78589177ac70e91d31fe75ea83d60

HTTP Headers

GET /core/assets/js/57.28dde8ce.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:56 GMT
last-modified: Tue, 19 Mar 2024 17:28:54 GMT
etag: W/"3c4cd13822c0069a68e9f9c8240f5ba9"
x-amz-server-side-encryption: AES256
x-amz-version-id: 4nZRLAAKNY.hdxpRwDtafk_xxCFkq8l7
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 20
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: NNn48Xr81kBO6qhFRjhtunFwrArx1ZsG5Fnlr7aNtpxcm6mD48aNOg==
X-Firefox-Spdy: h2

assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a7c_search.svg

3.164.240.122

200 OK

654 B

URL GET HTTP/2
assets-global.website-files.com/6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a7c_search.svg
IP
3.164.240.122:443
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.website-files.com
Fingerprint67:3F:4A:7A:30:BF:BC:29:1A:5A:41:A8:54:BB:F4:4A:E7:ED:D9:CF
ValidityMon, 11 Sep 2023 00:00:00 GMT - Tue, 08 Oct 2024 23:59:59 GMT

File type
SVG Scalable Vector Graphics image
Size
654 B (654 bytes)
Hash
736a116c2af40eda2a423f77091eeac2
5ec0b3616704bd73c9c1e860d93928e05400f502
2d6b1e95636e99da230c823db6a101eafce149b388d9ecdbf7960bb941bf7aca

HTTP Headers

GET /6579dd0b5f9a54376d296915/6579dd0b5f9a54376d296a7c_search.svg HTTP/1.1
Host: assets-global.website-files.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://assets-global.website-files.com/6579dd0b5f9a54376d296915/css/huntress-new.c85951d37.min.css
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: image/svg+xml
content-length: 654
date: Sun, 31 Dec 2023 23:47:15 GMT
last-modified: Wed, 13 Dec 2023 16:34:21 GMT
etag: "166c01555262c9617db663ec8a38364b"
x-amz-server-side-encryption: AES256
cache-control: max-age=31536000, must-revalidate
x-amz-version-id: ZAs7majvHYt8oLX63btjRfdozrskAdOe
accept-ranges: bytes
server: AmazonS3
via: 1.1 784f462b4ee4e847ccfe44db65f51a9c.cloudfront.net (CloudFront)
age: 11003196
access-control-allow-origin: *
x-cache: Hit from cloudfront
x-amz-cf-pop: ARN53-P2
x-amz-cf-id: DBUoANBv3p0slN-YHbnbMIRlX2WlqP9fvQNnsggl43WLPKWSkd-aiw==
X-Firefox-Spdy: h2

b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18

95.101.10.131

200 OK

43 B

URL GET HTTP/2
b.6sc.co/v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18
IP
95.101.10.131:443
ASN
#20940 Akamai International B.V.

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subject6sc.co
Fingerprint3D:B1:54:9A:0B:3C:D9:6B:22:33:1C:58:78:E6:C1:AF:51:63:FF:E5
ValidityTue, 09 Apr 2024 11:47:27 GMT - Mon, 08 Jul 2024 11:47:26 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
f837aa60b6fe83458f790db60d529fc9
14af87ccec7f81bb28d53c84da2fd5a9d5925cda
dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b

HTTP Headers

GET /v1/beacon/img.gif?token=a87a3edc53b5a86d1795d11887b5aa39&svisitor=null&visitor=067a8780-2e3e-47dd-8522-dbe728ebd677&session=ca548964-1314-40bb-8035-d14c2c63a59d&event=a_pageload&q=%7B%22pageLoadTime%22%3A%22Tue%2C%2007%20May%202024%2008%3A13%3A52%20GMT%22%7D&isIframe=false&m=%7B%22description%22%3A%22Join%20us%20for%20a%20threat%20hunting%20adventure%20as%20we%20analyze%20a%20suspicious%20run%20key%20that%20leads%20us%20to%20Cobalt%20Strike%20malware%20hidden%20across%20nearly%20700%20registry%20values.%22%2C%22keywords%22%3A%22%22%2C%22title%22%3A%22Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware%22%7D&cb=&r=&thirdParty=%7B%7D&v2=1&pageURL=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&pageViewId=ab2d0d03-41f0-444f-8776-33d4640d035a&webTagId=8769192b-20ba-4df2-8d62-2740a805c3e8&v=1.1.18 HTTP/1.1
Host: b.6sc.co
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ranges: bytes
content-type: image/gif
etag: "63f03226-2b"
last-modified: Sat, 18 Feb 2023 02:04:22 GMT
server: nginx/1.14.0 (Ubuntu)
x-content-type-options: nosniff
content-length: 43
expires: Tue, 07 May 2024 08:13:52 GMT
cache-control: max-age=0, no-cache, no-store
pragma: no-cache
date: Tue, 07 May 2024 08:13:52 GMT
X-Firefox-Spdy: h2

js.zi-scripts.com/unified/v1/master/getSubscriptions

172.64.150.44

204 No Content

0 B

URL OPTIONS HTTP/3
js.zi-scripts.com/unified/v1/master/getSubscriptions
IP
172.64.150.44:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectzi-scripts.com
FingerprintC0:86:5D:FE:C8:AD:96:F5:D9:46:55:72:6E:0F:17:8B:4A:AE:01:1D
ValidityFri, 29 Mar 2024 13:10:20 GMT - Thu, 27 Jun 2024 13:10:19 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

OPTIONS /unified/v1/master/getSubscriptions HTTP/1.1
Host: js.zi-scripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,content-type,visited_url
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 204 No Content
date: Tue, 07 May 2024 08:13:55 GMT
apigw-requestid: XZBeliLzPHcESbA=
x-powered-by: Express
vary: Access-Control-Request-Headers
access-control-allow-origin: *
access-control-allow-methods: *
access-control-allow-headers: *
access-control-max-age: 0
x-cache: Miss from cloudfront
via: 1.1 3bff78035f818b6a3185b0f5f4586410.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: 6mynIBvmxD7xl2tDk444u_SnOeLOsnfVypGt_47udEasaESfvbXt4w==
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0e31c12b4f7-OSL
alt-svc: h3=":443"; ma=86400

forms.hscollectedforms.net/collected-forms/v1/config/json?portalId=3911692&utk=

104.16.109.254

200 OK

115 B

URL GET HTTP/2
forms.hscollectedforms.net/collected-forms/v1/config/json?portalId=3911692&utk=
IP
104.16.109.254:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthscollectedforms.net
FingerprintEF:89:C2:30:37:FD:9F:8F:60:29:26:CC:C6:88:74:92:2B:ED:68:5C
ValidityFri, 29 Mar 2024 03:19:03 GMT - Thu, 27 Jun 2024 03:19:02 GMT

File type
troff or preprocessor input, ASCII text, with no line terminators
Size
115 B (115 bytes)
Hash
a3c3c225217d7fbacd060d70c261afa7
a6506d6cefac06e578ba270ecd338a578995bdc6
1801909cf22aa06082214caf2e7fa679a22c6cd4bdb54b7d43d0d286e9421884

HTTP Headers

GET /collected-forms/v1/config/json?portalId=3911692&utk= HTTP/1.1
Host: forms.hscollectedforms.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/json;charset=utf-8
vary: Accept-Encoding
cache-control: max-age=0
x-content-type-options: nosniff
x-robots-tag: none
access-control-allow-origin: https://www.huntress.com
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
access-control-allow-headers: *
access-control-max-age: 180
x-envoy-upstream-service-time: 3
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: 85f7b3df-5e37-4bd3-9f3f-d985cbbef5be
x-evy-trace-served-by-pod: iad02/app-td/envoy-proxy-68b7f7fbff-rl62l
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 85f7b3df-5e37-4bd3-9f3f-d985cbbef5be
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0d3befb56a4-OSL
content-encoding: br
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/28.7257241a.chunk.js

143.204.55.14

200 OK

50 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/28.7257241a.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (50262), with no line terminators
Size
50 kB (50262 bytes)
Hash
e737f53b0791dac4c523770b4992131c
b5481823dc0043f54142a2b68fadee0c4c6075e6
f4d1dc5e2bebcc6c035e733b5586f308c032e377d490d733835fbc1fb0e5d979

HTTP Headers

GET /core/assets/js/28.7257241a.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"e737f53b0791dac4c523770b4992131c"
x-amz-server-side-encryption: AES256
x-amz-version-id: Aw7E9DaiC.0zygWe8D.HQj28dALSaXA6
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 17
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: hzixZ8ZUWlVJZqXS6bgNuEfqtNvjkKZ_dP8xf-wr7Gv6eFxUh2eBZQ==
X-Firefox-Spdy: h2

www.google.com/js/bg/tKcPQSh2okjZHiZ2jIssRExVWo45mlVHOakavsOpwK4.js

142.250.74.132

200 OK

18 kB

URL GET HTTP/3
www.google.com/js/bg/tKcPQSh2okjZHiZ2jIssRExVWo45mlVHOakavsOpwK4.js
IP
142.250.74.132:443
ASN
#15169 GOOGLE

Requested by
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type
JavaScript source, ASCII text, with very long lines (17650)
Size
18 kB (18243 bytes)
Hash
042afc8f6dd96d8a86aca2f6239682fa
c2321f6ccc366638b53be030076f7ae3807f9d53
b4a70f412876a248d91e26768c8b2c444c555a8e399a554739a91abec3a9c0ae

HTTP Headers

GET /js/bg/tKcPQSh2okjZHiZ2jIssRExVWo45mlVHOakavsOpwK4.js HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC&co=aHR0cHM6Ly93d3cuaHVudHJlc3MuY29tOjQ0Mw..&hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&size=normal&cb=3ed4ifqylzve
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 200 OK
accept-ranges: bytes
content-encoding: br
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/botguard-scs
cross-origin-resource-policy: cross-origin
cross-origin-opener-policy: same-origin; report-to="botguard-scs"
report-to: {"group":"botguard-scs","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/botguard-scs"}]}
content-length: 7420
x-content-type-options: nosniff
server: sffe
x-xss-protection: 0
date: Thu, 02 May 2024 21:15:36 GMT
expires: Fri, 02 May 2025 21:15:36 GMT
cache-control: public, max-age=31536000
last-modified: Tue, 23 Apr 2024 17:30:00 GMT
content-type: text/javascript
vary: Accept-Encoding
age: 385098
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

a.quora.com/qevents.js

0.0.0.0

0 B

URL GET
a.quora.com/qevents.js
IP
0.0.0.0:0
ASN
#0

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjectquora.com
FingerprintB0:EF:CB:8C:1F:11:42:62:F1:35:F2:63:13:E9:7A:70:16:ED:B0:1B
ValiditySun, 31 Mar 2024 16:22:00 GMT - Sat, 29 Jun 2024 16:21:59 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /qevents.js HTTP/1.1
Host: a.quora.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: text/plain
x-amz-id-2: Tl+NCrT4/ROq8BOB/jXEFbjekr+B/799PB4hsh4cPaz8GcT19YQzaMe+k+f+IJxKpv7tKCeNqoQ=
x-amz-request-id: M04HPBTPY5GDBBF5
last-modified: Thu, 28 Mar 2024 17:33:19 GMT
etag: W/"87b5ecaafd0e88097cbbb1bbb7695fe9"
x-amz-server-side-encryption: AES256
x-amz-meta-s3cmd-attrs: md5:87b5ecaafd0e88097cbbb1bbb7695fe9
cache-control: public, max-age=14400
x-amz-version-id: jrgqQn59BHyNBJEhUqaibHl1Lk06.AzO
cf-cache-status: HIT
age: 561721
expires: Tue, 07 May 2024 12:13:52 GMT
vary: Accept-Encoding
server: cloudflare
cf-ray: 87ffc0d3b938568b-OSL
content-encoding: gzip
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/1.9d9c8c3b.chunk.js

143.204.55.14

200 OK

55 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/1.9d9c8c3b.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (54843), with no line terminators
Size
55 kB (54843 bytes)
Hash
bc8dde7d353b792cb424661adcff29fb
392a67d13de4ec9028585fff40412ebaa1757e6c
5e4e01da0230734413d39e4657ac95b4ccf45092ff61a162aa1f4d111a166735

HTTP Headers

GET /core/assets/js/1.9d9c8c3b.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:24 GMT
etag: W/"bc8dde7d353b792cb424661adcff29fb"
x-amz-server-side-encryption: AES256
x-amz-version-id: TN5uaySIype7BWdOQeU5pFJLqRV.3qiK
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 16
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: BEB6M1NXsSn9V4MmNMtvO1q6JHxnpiaGl-66LwHR8GXYog22ksvWAA==
X-Firefox-Spdy: h2

js.hsadspixel.net/fb.js

104.17.223.152

200 OK

6.3 kB

URL GET HTTP/2
js.hsadspixel.net/fb.js
IP
104.17.223.152:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthsadspixel.net
Fingerprint89:04:B6:FD:E6:3E:5E:C8:E4:39:2D:83:6E:38:CC:9C:BE:A2:08:4D
ValidityTue, 16 Apr 2024 02:15:45 GMT - Mon, 15 Jul 2024 02:15:44 GMT

File type
JavaScript source, ASCII text, with very long lines (6486), with no line terminators
Size
6.3 kB (6291 bytes)
Hash
2fd5c110e164f9577dcfdca755747394
41898cc37b5a4e5360e1bdcd96f8b60f5a027fb6
6e02ea2b70a3a7f6c680fd5b3d5d59d76e772feae57b8671d16fc5c055bb1303

HTTP Headers

GET /fb.js HTTP/1.1
Host: js.hsadspixel.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: application/javascript; charset=utf-8
x-amz-replication-status: COMPLETED
last-modified: Mon, 06 May 2024 13:51:07 UTC
x-amz-server-side-encryption: AES256
x-amz-version-id: .jnzEtgOd9S.y9u.IH0.Nidq3hy2M7RK
etag: W/"eeced445dd619f5fac08890cddee2915"
vary: Accept-Encoding
x-cache: Hit from cloudfront
via: 1.1 73c5607bdb5db0d651e25c848846d554.cloudfront.net (CloudFront)
x-amz-cf-pop: IAD12-P3
x-amz-cf-id: OADnt8M0qh-SU1_QfD4N09M3Msan5WwW0tj0RHmqpTrMWfDDHoQT-A==
content-security-policy-report-only: frame-ancestors 'self'; report-uri https://send.hsbrowserreports.com/csp/report?resource=adsscriptloaderstatic/static-1.552/bundles/pixels-release.js&cfRay=87f980408ad1b4eb-ARN
cache-control: max-age=600
x-hs-target-asset: adsscriptloaderstatic/static-1.552/bundles/pixels-release.js
x-content-type-options: nosniff
x-hs-cache-status: HIT
x-envoy-upstream-service-time: 1
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: 07ceeb45-1d25-4b3e-be43-cc2e437a6f0d
x-evy-trace-served-by-pod: iad02/app-td/envoy-proxy-68b7f7fbff-rcvgx
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 07ceeb45-1d25-4b3e-be43-cc2e437a6f0d
cache-tag: staticjsapp-AdsScriptLoaderCloudflare-web-prod,staticjsapp-prod
cf-cache-status: HIT
age: 32
server: cloudflare
cf-ray: 87ffc0d018f85689-OSL
content-encoding: br
X-Firefox-Spdy: h2

www.google.com/recaptcha/api.js

142.250.74.132

200 OK

850 B

URL GET HTTP/2
www.google.com/recaptcha/api.js
IP
142.250.74.132:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectwww.google.com
FingerprintC6:A2:DC:31:5A:53:FA:DD:55:71:A3:F4:DD:43:3D:16:71:B8:B3:99
ValidityTue, 16 Apr 2024 04:20:32 GMT - Tue, 09 Jul 2024 04:20:31 GMT

File type
JavaScript source, ASCII text, with very long lines (850), with no line terminators
Size
850 B (850 bytes)
Hash
ee87fd4035a91d937ff13613982b4170
e897502e3a58c6be2b64da98474f0d405787f5f7
7649b605b4f35666df5cbcbb03597306d9215f53f61c2a097f085fa39af9859f

HTTP Headers

GET /recaptcha/api.js HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/javascript; charset=utf-8
expires: Tue, 07 May 2024 08:13:51 GMT
date: Tue, 07 May 2024 08:13:51 GMT
cache-control: private, max-age=300
cross-origin-resource-policy: cross-origin
content-encoding: gzip
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
X-Firefox-Spdy: h2

hubspotonwebflow.com/assets/js/blockedDomains.json

76.76.21.61

200 OK

100 kB

URL GET HTTP/2
hubspotonwebflow.com/assets/js/blockedDomains.json
IP
76.76.21.61:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthubspotonwebflow.com
Fingerprint38:B7:60:3C:B5:3B:2D:6B:25:E2:90:D9:F1:41:B8:F8:2F:AF:6A:BE
ValidityMon, 06 May 2024 22:48:06 GMT - Sun, 04 Aug 2024 22:48:05 GMT

File type
JSON text data
Size
100 kB (100261 bytes)
Hash
04708d47dd194d37b8231a65de7a66f1
dc9b4c5943db30130311340def56dc37e7da8c3f
944352d0198c673b45a699471c970aef85458ea3c58a3ed825b0f0e4f33f999c

HTTP Headers

GET /assets/js/blockedDomains.json HTTP/1.1
Host: hubspotonwebflow.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-origin: *
age: 1657578
cache-control: public, max-age=0, must-revalidate
content-disposition: inline; filename="blockedDomains.json"
content-encoding: br
content-type: application/json; charset=utf-8
date: Tue, 07 May 2024 08:13:54 GMT
etag: W/"04708d47dd194d37b8231a65de7a66f1"
server: Vercel
strict-transport-security: max-age=63072000
x-matched-path: /assets/js/blockedDomains.json
x-vercel-cache: HIT
x-vercel-id: arn1::gchbk-1715069634938-f7b1183e499b
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/11.639238ba.chunk.js

143.204.55.14

200 OK

24 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/11.639238ba.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (23865), with no line terminators
Size
24 kB (23865 bytes)
Hash
4049f38c00add1738dc4806148ff8829
0a631d2ccde970a13f60e147a5b5aeacb6a1b2e0
c501de88fbb90a445f1754a529bc772e7047071bf653c8c3f0330f7bb736d140

HTTP Headers

GET /core/assets/js/11.639238ba.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:03 GMT
etag: W/"4049f38c00add1738dc4806148ff8829"
x-amz-server-side-encryption: AES256
x-amz-version-id: smaqEJ6y78pINcBn6CQ9_uyEvwvE9ZvF
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 22
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: b4AFyRW0IXh-B99CrRj_VY1BADb1fi_epHG7Dn5wimEY_lpcz_CuuA==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/0.0b2ebd4a.chunk.js

143.204.55.14

200 OK

8.8 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/0.0b2ebd4a.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (8912), with no line terminators
Size
8.8 kB (8798 bytes)
Hash
e4b83ecb3264826482970c82325ce021
728b5c23bcd47b4ca79e00c1d22975c1a337d23f
967002b56a58f41a49dbebbf93955d8774d83319c9ec02db7c76e0769c7af439

HTTP Headers

GET /core/assets/js/0.0b2ebd4a.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Wed, 01 May 2024 17:00:03 GMT
etag: W/"c5efcdc9e465604f32cf24af10fd6c13"
x-amz-server-side-encryption: AES256
x-amz-version-id: vSM0HkOkvqgsTuJrFWNs8RjJoWUL6ULk
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 23
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: eapf0M-QmaVo5NVZQmn5ORBqDygfPfHi3-Z6xErydnxmdcn8A0uilA==
X-Firefox-Spdy: h2

hubspotonwebflow.com/api/forms/blockList?id=c32ae9e7-4a4b-4436-a6e4-0de41bd8df62

76.76.21.61

200 OK

47 B

URL GET HTTP/2
hubspotonwebflow.com/api/forms/blockList?id=c32ae9e7-4a4b-4436-a6e4-0de41bd8df62
IP
76.76.21.61:443
ASN
#16509 AMAZON-02

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecthubspotonwebflow.com
Fingerprint38:B7:60:3C:B5:3B:2D:6B:25:E2:90:D9:F1:41:B8:F8:2F:AF:6A:BE
ValidityMon, 06 May 2024 22:48:06 GMT - Sun, 04 Aug 2024 22:48:05 GMT

File type
troff or preprocessor input, ASCII text, with no line terminators
Size
47 B (47 bytes)
Hash
92b0ac52eb3a4a3a7aa65224abcf9105
559923772a67b0808357cbafad1c4b85f1fbb637
8d57e2de20c17fd1d44666ee75ea22ba15abd3c5127812b84e8179911bb52261

HTTP Headers

GET /api/forms/blockList?id=c32ae9e7-4a4b-4436-a6e4-0de41bd8df62 HTTP/1.1
Host: hubspotonwebflow.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: *
age: 0
cache-control: public, max-age=0, must-revalidate
content-encoding: br
content-type: application/json
date: Tue, 07 May 2024 08:13:55 GMT
server: Vercel
strict-transport-security: max-age=63072000
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch
x-matched-path: /api/forms/blockList
x-vercel-cache: MISS
x-vercel-execution-region: iad1
x-vercel-id: arn1::iad1::b7hw5-1715069634944-12c5586f8609
X-Firefox-Spdy: h2

bat.bing.com/p/action/187059084.js

204.79.197.237

200 OK

3.7 kB

URL GET HTTP/2
bat.bing.com/p/action/187059084.js
IP
204.79.197.237:443
ASN
#8068 MICROSOFT-CORP-MSN-AS-BLOCK

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerMicrosoft Corporation
Subjectwww.bing.com
Fingerprint02:83:27:F9:50:D8:BE:B9:5E:DF:1A:4A:45:3B:6D:3C:BC:30:F2:58
ValidityWed, 01 May 2024 01:58:25 GMT - Thu, 27 Jun 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (3889), with no line terminators
Size
3.7 kB (3731 bytes)
Hash
96f45925ca1c3d61e3d2cc6713e8fab7
4d4b1cfbe22acd8ab3d8ff3118f6344cc219c3fe
500e4bb83acfc35c869f12e14ef28d151f5f9c9414582e7a30a7320566c8c743

HTTP Headers

GET /p/action/187059084.js HTTP/1.1
Host: bat.bing.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
cache-control: private,max-age=60
content-type: application/javascript; charset=utf-8
content-encoding: br
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 286AEB9BE3A84DB99D9C7DD14F8EB997 Ref B: OSL30EDGE0111 Ref C: 2024-05-07T08:13:54Z
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

54.85.240.191

101 Switching Protocols

0 B

URL GET HTTP/1.1
presence.api.drift.com/ws/websocket?session_token=SFMyNTY.g3QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAFTUwOTI4MDQtMjE4MzQ2MTc5NzgtNGQABm9yZ19pZG0AAAAHNTA5MjgwNGQACXNjb3BlX3NldG0AAAAEbGVhZGQAB3VzZXJfaWRtAAAACzIxODM0NjE3OTc4ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAAPNHVKPAQ.kg-kCpkRsACu5QiQ0ILq0oCKO9GFkCFlNEkEUq0O6aA&remote_ip=18.232.245.220&vsn=2.0.0
IP
54.85.240.191:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
Fingerprint8D:87:63:40:81:FD:69:E6:E5:7B:1B:D8:C5:49:BB:2A:A5:0B:A2:EE
ValidityTue, 15 Aug 2023 00:00:00 GMT - Wed, 11 Sep 2024 23:59:59 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /ws/websocket?session_token=SFMyNTY.g3QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAFTUwOTI4MDQtMjE4MzQ2MTc5NzgtNGQABm9yZ19pZG0AAAAHNTA5MjgwNGQACXNjb3BlX3NldG0AAAAEbGVhZGQAB3VzZXJfaWRtAAAACzIxODM0NjE3OTc4ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAAPNHVKPAQ.kg-kCpkRsACu5QiQ0ILq0oCKO9GFkCFlNEkEUq0O6aA&remote_ip=18.232.245.220&vsn=2.0.0 HTTP/1.1
Host: presence.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: https://rc-widget-frame.js.driftt.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: mWANSt102yUyjbbRA+Dqkw==
DNT: 1
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
cache-control: max-age=0, private, must-revalidate
connection: Upgrade
date: Tue, 07 May 2024 08:13:56 GMT
sec-websocket-accept: r8C+wEirI07tfZ8m5LlbkS8GH6I=
server: Cowboy
upgrade: websocket

rc-widget-frame.js.driftt.com/core/assets/js/41.b4fc4de2.chunk.js

143.204.55.14

200 OK

26 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/41.b4fc4de2.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (25600), with no line terminators
Size
26 kB (25600 bytes)
Hash
a2ace4f65aa7b34dedb884f6cfe9df8d
6cd6950446b7701a27180647e2dbb74bb90509d4
edf1011ad272d21b66ae82a21a9d029186dc81c9f13972203fc3107f75835d4b

HTTP Headers

GET /core/assets/js/41.b4fc4de2.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Tue, 19 Mar 2024 17:28:54 GMT
etag: W/"a2ace4f65aa7b34dedb884f6cfe9df8d"
x-amz-server-side-encryption: AES256
x-amz-version-id: rA0DhPsJA4RdNVesvkvN4QjRny8lrPwc
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: NlZUj5oxkhuyHOsf5J2EZgZiowZ0ZpKPqGtgIxGxFJJBtYhWuezwFw==
X-Firefox-Spdy: h2

js.hs-banner.com/3911692.js

104.18.34.229

200 OK

63 kB

URL GET HTTP/2
js.hs-banner.com/3911692.js
IP
104.18.34.229:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerLet's Encrypt
Subjecths-banner.com
FingerprintFD:CD:8E:97:D4:7A:91:8A:CF:B0:8D:03:EF:EB:A1:49:9F:F6:62:40
ValidityMon, 01 Apr 2024 01:01:12 GMT - Sun, 30 Jun 2024 01:01:11 GMT

File type
JavaScript source, ASCII text, with very long lines (61243)
Size
63 kB (62644 bytes)
Hash
381b0631a0eece43d9975eebeac4018a
c23697fb40287af31e1b9a0ed1159d1031cfdd26
0a7e62074b4311ed600655962e3217c9f2c33bd454457523a1d0fe36dfbb2207

HTTP Headers

GET /3911692.js HTTP/1.1
Host: js.hs-banner.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:52 GMT
content-type: text/javascript; charset=UTF-8
x-amz-id-2: jPQgSktSiznXWH2qOajtnIAsqrLcQCrTdfVbq2Jg9VSw9kS8WGETsAkQ4W5RP0JkUtWGzoEgYU5aCVi1RW1/HcB4ZJnx7669
x-amz-request-id: RC5XAAR8DKEC0HAM
last-modified: Wed, 10 Apr 2024 21:07:09 GMT
etag: W/"381b0631a0eece43d9975eebeac4018a"
x-amz-server-side-encryption: AES256
cache-control: max-age=300,public
x-amz-version-id: RDrUrFX49NqTvtKL.PRguE6RUBzrS.gk
access-control-allow-origin: https://www.huntress.com
access-control-allow-methods: GET, OPTIONS, PUT, POST, DELETE, PATCH, HEAD
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Accept-Charset, Accept-Encoding, X-Override-Internal-Permissions, X-Properties-Source, X-Properties-SourceId, X-Properties-Flag, X-Hubspot-User-Id, X-Hubspot-Trace, X-Hubspot-Callee, X-Hubspot-Offset, X-Hubspot-No-Trace, X-HubSpot-Static-App-Info, X-HubSpot-Messages-Uri, X-HubSpot-Request-Source, X-HubSpot-Request-Reason, Subscription-Billing-Auth-Token, X-App-CSRF, X-Tools-CSRF, Online-Payment-Signing-UUID, X-Source, X-SourceId, X-Origin-UserId, X-Biden-Request-Source, X-HubSpot-CSRF-hubspotapi, X-Force-Cookie-Refresh, X-Force-Cookie-Refresh-No-Cache, X-HS-User-Request, X-Application-Id, X-HS-Referer, X-HubSpot-Correlation-Id
access-control-expose-headers: x-last-modified-timestamp, X-HubSpot-NotFound, X-HS-User-Request, Link, Server-Timing
access-control-allow-credentials: true
access-control-max-age: 604800
timing-allow-origin: *
vary: origin, Accept-Encoding
expires: Tue, 07 May 2024 08:14:18 GMT
x-envoy-upstream-service-time: 24
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-virtual-host: all
x-hubspot-correlation-id: 694e4a9c-c1ad-443c-a04b-1c5adfc2ce45
x-evy-trace-served-by-pod: iad02/analytics-js-proxy-td/envoy-proxy-6685c9958f-snf7h
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-request-id: 694e4a9c-c1ad-443c-a04b-1c5adfc2ce45
cf-cache-status: HIT
age: 91
server: cloudflare
cf-ray: 87ffc0cffb44b51d-OSL
content-encoding: br
X-Firefox-Spdy: h2

api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_88949

44.218.103.148

200 OK

62 B

URL GET HTTP/2
api.neverbounce.com/v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_88949
IP
44.218.103.148:443
ASN
#14618 AMAZON-AES

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectneverbounce.com
FingerprintAA:14:38:26:16:0D:C2:06:23:FA:67:31:6D:06:B4:73:35:3A:18:67
ValidityMon, 29 Jan 2024 00:00:00 GMT - Tue, 25 Feb 2025 23:59:59 GMT

File type
ASCII text, with no line terminators
Size
62 B (62 bytes)
Hash
1afa8f2377a97322215922585d8d152d
dec389d81da4a7eba6ac9ad83e1aeb42c0b530c3
5cea297a58bc083bc5be4c76ac800a8419ad679f9d0a8e85a427dc13040b79b7

HTTP Headers

GET /v4/poe/notify?key=public_0e95e4405380cdd75d8aa57fca3692dc&event=form.load&callback=__neverbounce_88949 HTTP/1.1
Host: api.neverbounce.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:53 GMT
content-type: application/javascript
server: nginx
vary: Accept-Encoding
cache-control: no-cache, private
x-ua-compatible: IE=Edge
strict-transport-security: max-age=31536000; includeSubDomains
content-encoding: gzip
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/css/16.22abfce0.chunk.css

143.204.55.14

200 OK

24 B

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/16.22abfce0.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with no line terminators
Size
24 B (24 bytes)
Hash
0c5dad92482d9a7c7c253510f5082465
534b458f99b4d0bb90c2cf2c4bb3703ef44a52bf
5dbaf0a4ff0f8ac8c1b67550eee84390b089604ffaf71183e417636c7e183ac5

HTTP Headers

GET /core/assets/css/16.22abfce0.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css
content-length: 24
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Wed, 01 May 2024 17:00:01 GMT
etag: "0c5dad92482d9a7c7c253510f5082465"
x-amz-server-side-encryption: AES256
x-amz-version-id: EJDcVDn5CVMphTi7feP5kOEl5b7qqm3R
accept-ranges: bytes
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 13
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: UkE3Ox2w3IaU0m_ICsQak52yJfYFJlSZIZ5bA9Xy6jxayMAv_ViPCA==
X-Firefox-Spdy: h2

js.zi-scripts.com/unified/v1/master/getSubscriptions

172.64.150.44

200 OK

146 B

URL GET HTTP/3
js.zi-scripts.com/unified/v1/master/getSubscriptions
IP
172.64.150.44:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectzi-scripts.com
FingerprintC0:86:5D:FE:C8:AD:96:F5:D9:46:55:72:6E:0F:17:8B:4A:AE:01:1D
ValidityFri, 29 Mar 2024 13:10:20 GMT - Thu, 27 Jun 2024 13:10:19 GMT

File type
troff or preprocessor input, ASCII text, with no line terminators
Size
146 B (146 bytes)
Hash
6a1b7bf19ad57e5a1257b549ffaa1f78
ff2b64dc8fa5672a65ac60f13e15e71763d3d266
bfe085f3da2e3a764d08935d725cb24e2598e3f2fbb602e8871c65dacd2db38b

HTTP Headers

GET /unified/v1/master/getSubscriptions HTTP/1.1
Host: js.zi-scripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
Content-Type: application/json
Authorization: Bearer 5880e3e5891679926699
visited_url: https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Origin: https://www.huntress.com
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 200 OK
date: Tue, 07 May 2024 08:13:55 GMT
content-type: application/json; charset=utf-8
apigw-requestid: XZBeniFfvHcESVQ=
x-powered-by: Express
etag: W/"92-61bqz+uTKSWn4UefTlWhnvUDaaM"
access-control-allow-origin: *
access-control-expose-headers: *
x-cache: Miss from cloudfront
via: 1.1 6259d2cd8a5947ad41a420527bbed7a6.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: 2-C1K3fZnCE-snEDR0P5862CbJ5hWigWxGVaGEz0D1jlHArc7fwdew==
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0e629eab4f7-OSL
content-encoding: gzip
alt-svc: h3=":443"; ma=86400

rc-widget-frame.js.driftt.com/core/assets/js/main~493df0b3.91dc5a14.chunk.js

143.204.55.14

200 OK

7.2 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/main~493df0b3.91dc5a14.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (7529), with no line terminators
Size
7.2 kB (7237 bytes)
Hash
b9603050b2ad285efe8952c41736639e
255046e26f27a91725ea75524178debd1b54f055
1f974cd530f4bdaba080960bca77427430b279128b833180a1d006fe1eeed177

HTTP Headers

GET /core/assets/js/main~493df0b3.91dc5a14.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:53 GMT
last-modified: Mon, 21 Aug 2023 14:57:27 GMT
etag: W/"c11c9776fa434757756e10e6ded61c75"
x-amz-server-side-encryption: AES256
x-amz-version-id: aQ8O6UMWsN.2o5G5k1LSH1svCMcNLzIM
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 21
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: IiT0GtegityiW5-EaGr5dufS6RWFk7szN8okNEIdcgDHW3powck4Zg==
X-Firefox-Spdy: h2

js.zi-scripts.com/zi-tag.js

172.64.150.44

200 OK

9.5 kB

URL GET HTTP/2
js.zi-scripts.com/zi-tag.js
IP
172.64.150.44:443
ASN
#13335 CLOUDFLARENET

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subjectzi-scripts.com
FingerprintC0:86:5D:FE:C8:AD:96:F5:D9:46:55:72:6E:0F:17:8B:4A:AE:01:1D
ValidityFri, 29 Mar 2024 13:10:20 GMT - Thu, 27 Jun 2024 13:10:19 GMT

File type
JavaScript source, ASCII text, with very long lines (9672), with no line terminators
Size
9.5 kB (9451 bytes)
Hash
5c9250f796bc689e1ac1ee1221b91a6d
93f29564742ef92037bfe44dfb0d7be8864136ab
d77d28c1698722409baf461512fc2716045b404d4e4206f5ec8f9052013375a9

HTTP Headers

GET /zi-tag.js HTTP/1.1
Host: js.zi-scripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:54 GMT
content-type: application/javascript
last-modified: Thu, 02 May 2024 10:12:33 GMT
x-amz-version-id: El0g.RnAqJPwnFJdxj37HBOCbk.jq3Sb
etag: W/"8c204aa84fdf9cdf3edc033589ee81ca"
vary: Accept-Encoding
x-cache: Hit from cloudfront
via: 1.1 ee04daa979e7a02cc5ca472521bc18a6.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-P1
x-amz-cf-id: Hn9nwixw2FqYPBGY0HrSXW-8VIBsMFsDMHtOzPsy5wk4ylw-18S8tw==
age: 17100
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 87ffc0e29f631c06-OSL
content-encoding: gzip
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

www.google.com/recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC

142.250.74.132

200 OK

7.4 kB

URL GET HTTP/3
www.google.com/recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC
IP
142.250.74.132:443
ASN
#15169 GOOGLE

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerGoogle Trust Services LLC
Subject*.google.com
Fingerprint7C:B7:E1:97:03:6E:82:B6:52:F8:EC:C6:C6:50:D9:DD:80:47:E6:A0
ValidityTue, 16 Apr 2024 03:18:53 GMT - Tue, 09 Jul 2024 03:18:52 GMT

File type
HTML document, ASCII text, with very long lines (7672), with no line terminators
Size
7.4 kB (7441 bytes)
Hash
7e27b7432486e5f3666ca5d189653a4a
fd555a1652d8cc57268650df8a435a16fc10acc4
7ca3030c52d2ecceacf70bb2f4571ea78a2624b973c2ba2a899334f3d9fbda8b

HTTP Headers

GET /recaptcha/api2/bframe?hl=en&v=V6_85qpc2Xf2sbe3xTnRte7m&k=6LchEywUAAAAAAdAXlscEm7Kcb3DJ38pngRCQJsC HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 200 OK
content-type: text/html; charset=utf-8
cross-origin-resource-policy: cross-origin
cross-origin-embedder-policy: require-corp
report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 07 May 2024 08:13:55 GMT
content-security-policy: script-src 'nonce-SLVLLCxOhLlvHje3RXcohg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1
content-encoding: gzip
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

rc-widget-frame.js.driftt.com/core/assets/css/25.7addeee7.chunk.css

143.204.55.14

200 OK

9.0 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/css/25.7addeee7.chunk.css
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
ASCII text, with very long lines (9040), with no line terminators
Size
9.0 kB (9040 bytes)
Hash
b9011653b355d04d18b2ff93e45e1ecd
f5415e40e4f0368b065e54498b137f43965dedf5
a7a9292edd72228ac6b7839b6e29a832ab45515a5c78d548ccd5fd8a2b1942ff

HTTP Headers

GET /core/assets/css/25.7addeee7.chunk.css HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: text/css
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:23 GMT
etag: W/"b9011653b355d04d18b2ff93e45e1ecd"
x-amz-server-side-encryption: AES256
x-amz-version-id: EFJHE_lMh.tvaT0GqPW.1ROLceWNBRoz
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
content-encoding: gzip
x-envoy-upstream-service-time: 20
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: MpKZvR0mNbFUSRZrP8BXZQMaj4ZYGrIEZHlNc67MZoC9XboWQH-GWw==
X-Firefox-Spdy: h2

bat.bing.com/action/0?ti=187059084&tm=gtm002&Ver=2&mid=5bd62046-e995-4aa4-8d5d-e337e6d5f6cc&sid=be7c53b00c4911ef9f882d4b3bb4ba09&vid=be7c61500c4911ef8177d1755aaa8281&vids=1&msclkid=N&pi=918639831&lg=en-US&sw=1280&sh=1024&sc=24&tl=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&p=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&r=&lt=2807&pt=1715069629217,,,,,50,52,52,52,128,89,128,194,206,512,2720,2797,2807,,,&pn=0,0&evt=pageLoad&sv=1&rn=690706

204.79.197.237

204 No Content

0 B

URL GET HTTP/2
bat.bing.com/action/0?ti=187059084&tm=gtm002&Ver=2&mid=5bd62046-e995-4aa4-8d5d-e337e6d5f6cc&sid=be7c53b00c4911ef9f882d4b3bb4ba09&vid=be7c61500c4911ef8177d1755aaa8281&vids=1&msclkid=N&pi=918639831&lg=en-US&sw=1280&sh=1024&sc=24&tl=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&p=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&r=&lt=2807&pt=1715069629217,,,,,50,52,52,52,128,89,128,194,206,512,2720,2797,2807,,,&pn=0,0&evt=pageLoad&sv=1&rn=690706
IP
204.79.197.237:443
ASN
#8068 MICROSOFT-CORP-MSN-AS-BLOCK

Requested by
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerMicrosoft Corporation
Subjectwww.bing.com
Fingerprint02:83:27:F9:50:D8:BE:B9:5E:DF:1A:4A:45:3B:6D:3C:BC:30:F2:58
ValidityWed, 01 May 2024 01:58:25 GMT - Thu, 27 Jun 2024 23:59:59 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /action/0?ti=187059084&tm=gtm002&Ver=2&mid=5bd62046-e995-4aa4-8d5d-e337e6d5f6cc&sid=be7c53b00c4911ef9f882d4b3bb4ba09&vid=be7c61500c4911ef8177d1755aaa8281&vids=1&msclkid=N&pi=918639831&lg=en-US&sw=1280&sh=1024&sc=24&tl=Cobalt%20Strikes%20Again%3A%20An%20Analysis%20of%20Obfuscated%20Malware&p=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware&r=&lt=2807&pt=1715069629217,,,,,50,52,52,52,128,89,128,194,206,512,2720,2797,2807,,,&pn=0,0&evt=pageLoad&sv=1&rn=690706 HTTP/1.1
Host: bat.bing.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.huntress.com/
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 204 No Content
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0853F8F8EF476868286FEC80EEB26958; domain=.bing.com; expires=Sun, 01-Jun-2025 08:13:54 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F086164554314842A8046C54C0D71239 Ref B: OSL30EDGE0111 Ref C: 2024-05-07T08:13:54Z
date: Tue, 07 May 2024 08:13:53 GMT
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/34.4924e4bf.chunk.js

143.204.55.14

200 OK

27 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/34.4924e4bf.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (27337), with no line terminators
Size
27 kB (27337 bytes)
Hash
2a9499a40949c70c9c00081b06639cb0
c30abc7c92ba97be5e84f4aa4b5cde054968cfce
15736c00b563c558ec1e7d531c0d8bd7d8cc24c2026adbc2dcf0ccd3e48f7d65

HTTP Headers

GET /core/assets/js/34.4924e4bf.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"2a9499a40949c70c9c00081b06639cb0"
x-amz-server-side-encryption: AES256
x-amz-version-id: T7ywXmlgZ2pn_NjEp3YMDrKgM16OYgwy
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 18
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: Hf83NcwBKP0ZrqkYRbJCatP2GRUV4YEJIq2bqFXOj7vz8Nl_NVX0vQ==
X-Firefox-Spdy: h2

rc-widget-frame.js.driftt.com/core/assets/js/35.3969a3d7.chunk.js

143.204.55.14

200 OK

12 kB

URL GET HTTP/2
rc-widget-frame.js.driftt.com/core/assets/js/35.3969a3d7.chunk.js
IP
143.204.55.14:443
ASN
#16509 AMAZON-02

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subject*.drift.com
Fingerprint9C:F6:BE:BA:59:6B:DE:CE:68:BD:2B:4F:DB:C5:B3:AF:A3:19:C6:56
ValidityMon, 03 Jul 2023 00:00:00 GMT - Wed, 31 Jul 2024 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (11590), with no line terminators
Size
12 kB (11590 bytes)
Hash
dcd622adceee29d53432ca3f6e9eb777
03daf12e516e3d3ea54cf6d3b45ac10a5e72ff83
ca38f2df2a3be653605830a05931aeac85fbd1c3fa2e483a334fdc25e3463503

HTTP Headers

GET /core/assets/js/35.3969a3d7.chunk.js HTTP/1.1
Host: rc-widget-frame.js.driftt.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/javascript
server: istio-envoy
date: Tue, 07 May 2024 08:13:54 GMT
last-modified: Mon, 21 Aug 2023 14:57:25 GMT
etag: W/"dcd622adceee29d53432ca3f6e9eb777"
x-amz-server-side-encryption: AES256
x-amz-version-id: _L8fRFK5jC3YnnGaFitzP.KBJ4MXVS_2
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
strict-transport-security: max-age=31536000; includeSubDomains
cache-control: max-age=31536000
x-envoy-upstream-service-time: 23
content-encoding: gzip
vary: Accept-Encoding
x-cache: Miss from cloudfront
via: 1.1 142be88a35733307a5e7de05da0a20b8.cloudfront.net (CloudFront)
x-amz-cf-pop: OSL50-C1
x-amz-cf-id: 08eGoX6f8sjjLxMcV7d51c_ekJukUtyuVgy3_o8GUhs6qHSW-iIKXg==
X-Firefox-Spdy: h2

bootstrap.api.drift.com/widget_bootstrap

3.94.218.138

200 OK

11 kB

URL POST HTTP/2
bootstrap.api.drift.com/widget_bootstrap
IP
3.94.218.138:443
ASN
#14618 AMAZON-AES

Requested by
https://rc-widget-frame.js.driftt.com/core?d=1&embedId=5d3cypit2iz8&eId=5d3cypit2iz8&region=US&forceShow=false&skipCampaigns=false&sessionId=5db9d812-9f99-492f-b86a-7584711e38bf&sessionStarted=1715069632.22&campaignRefreshToken=3ff4782d-aa36-4351-9ce0-0c58401534f6&pageLoadStartTime=1715069629423&mode=CHAT&driftEnableLog=false&loadStrategy=ON_INTERACTIVE&secureIframe=false&u=https%3A%2F%2Fwww.huntress.com%2Fblog%2Fcobalt-strike-analysis-of-obfuscated-malware
Certificate
IssuerAmazon
Subjectdrift.com
FingerprintB7:94:E7:F3:B7:5C:66:0B:09:DC:83:16:97:C6:C8:04:3A:B0:3B:D0
ValiditySun, 03 Mar 2024 00:00:00 GMT - Mon, 31 Mar 2025 23:59:59 GMT

File type
JSON text data
Size
11 kB (10562 bytes)
Hash
76729efc84bce1e02bccc45b2a2f0090
42ed5f25c7eda28a9cbcfd9194c4d1f9f9c33244
f90bb2e9be8052005249584773ba80260221e8d44fe100b0200a585d7c97b5c5

HTTP Headers

POST /widget_bootstrap HTTP/1.1
Host: bootstrap.api.drift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 507
Origin: https://rc-widget-frame.js.driftt.com
DNT: 1
Connection: keep-alive
Referer: https://rc-widget-frame.js.driftt.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 07 May 2024 08:13:55 GMT
access-control-allow-origin: *
access-control-allow-headers: origin, content-type, accept, authorization, auth-token, uber-trace-id, x-amzn-oidc-data, x-version
access-control-allow-credentials: true
access-control-expose-headers: X-Results-Total-Count,X-Page-Info
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH
access-control-max-age: 1209600
strict-transport-security: max-age=31536000; includeSubDomains
content-type: application/json;charset=utf-8
requestid: 5fc20df9c84e38dd
vary: Accept-Encoding
content-encoding: gzip
x-envoy-upstream-service-time: 216
server: istio-envoy
X-Firefox-Spdy: h2

Report Overview

Submitted URL

IP

ASN

Submitted

Access

Website Title

Final URL

Tags

urlquery detections

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (104)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML