Credentials: https://www.linkedin.com/in/nick-kinney-7a225428a/
Summary: It is a deep read but based on my exposure to Microsoft .Net codebase, I feel my suspicions are somewhat accurate.
To begin with, I have noticed when I downloaded an old code base that my AntiForgeryToken, in the context of web development, was compromised as I received an error of Invalid Token Argument Exception. I was on a new box and it made little sense. Once I popped open some tools I noticed a certificate mismatch with code. yengo. com. The supposed fix was to add 127.0.0.1 code. yengo. com to my drivers/etc/hosts file due to the fact that my AntiForgeryToken exception disappeared after doing so.
The dark turn.
Once I noticed this activity I put my computer in an isolated guest wifi network to block any further damage. I assigned myself to a single IP range and left no room for any other machines to enter, or so I think. Then NBNS requests start flooding my computer. I tried my best and eventually acquiesced defeat and was forced to reinstall. This occurred about a dozen times due to the fact I must download an update when reinstalling Windows 11.
The short version to this was my audio driver update was being updated to a malicious RealTech driver.
---The reason I know the windows updated driver was a malicious 'ReachTek' driver was that my isolation storage turned off on my machine because of a .inf file being corrupted. I had to use further powershell knowledge to delete the driver from my box, which proved to be too late as a ghost was already in the machine causing problems. Not DISM, I mean another method I have forgotten.
I defeated this piece of the puzzle after 5 reinstalls, to eventually fire up 2 user accounts and isolate windows update to also ignore windows update drivers using powershell.
More dark turns.
At this point, I have code.yengo.com blocked, so I thought. I ended up maintaining all of the drivers/etc, firewalls, nbns disabled for ipv4 as ipv6 is completely disabled. It looked to be working, until I downloaded Baldurs Gate III from steam "slash" ran some Windows Azure create container resources. I cannot tell when the url started reappearing as I did both within the same hour.
Wireshark says this, which I do not understand.
https://mail.google.com/mail/u/0?ui=2&ik=60381e2514&attid=0.1.1&permmsgid=msg-f:1781146038853560312&th=18b7e6e2aaf5e7f8&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_pnleQvxdF19Kfq68XxLgJ8N_ObPx0Vxz5UIuc9br85XLrM_VwX7C43oRv_mZJU1kl5ZVu3j70Y2CFYFm4UurXnjzhgxSSci-gOOAHzvNO8u017pmi82ox4Is&disp=emb
It continues to go completely bonkers, like a trapped bee in a jar.
https://mail.google.com/mail/u/0?ui=2&ik=60381e2514&attid=0.1.1&permmsgid=msg-f:1781147328198616191&th=18b7e80eddea247f&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-EzZ7V424Mg5TDJD1KVzFbYcSOYoci3N4ShFTfanOECAM1EVKPJNTQst2wY2Y_W3LPSEr1W8iqDQMWyCYa8eTeyeb5jcB06hjXCxLO-_fKQR5QBDTGT4duS7o&disp=emb
Apologies on the formatting
- 32457 1532.477589 code.yengo.com code.yengo.com TCP 44 64210
> → ddi-tcp-1(8888) [ACK] Seq=8260
> Ack=15585 Win=311808 Len=0
> 32458 1532.482585 code.yengo.com code.yengo.com TLSv1.3 79 Application
> Data
- > 32459 1532.482626 code.yengo.com code.yengo.com TCP 44 ddi-tcp-1(8888)
> → 64210 [ACK] Seq=15585 Ack=8295
> Win=2152960 Len=0
> 32460 1532.482657 code.yengo.com code.yengo.com TLSv1.3 79 Application
> Data
- > 32461 1532.482669 code.yengo.com code.yengo.com TCP 44 ddi-tcp-1(8888)
> → 64210 [ACK] Seq=15585 Ack=8330
> Win=2152960 Len=0
- > 32462 1534.073484 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 63910 → ddi-tcp-1(8888)
> [ACK] Seq=1405000 Ack=245271
> Win=2135296 Len=1
- > 32463 1534.073527 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] ddi-tcp-1(8888) →
> 63910 [ACK] Seq=245271 Ack=1405001
> Win=2121984 Len=0 SLE=1405000
> SRE=1405001
- > 32464 1535.498778 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 64285 → ddi-tcp-1(8888)
> [ACK] Seq=1005 Ack=723 Win=2160384
> Len=1
- > 32465 1535.498797 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] ddi-tcp-1(8888) →
> 64285 [ACK] Seq=723 Ack=1006
> Win=2160128 Len=0 SLE=1005 SRE=1006
- > 32466 1536.277039 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 64202 → ddi-tcp-1(8888)
> [ACK] Seq=2976 Ack=12148 Win=315136
> Len=1
- > 32467 1536.277076 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] ddi-tcp-1(8888) →
> 64202 [ACK] Seq=12148 Ack=2977
> Win=2158336 Len=0 SLE=2976 SRE=2977
- > 32468 1536.734542 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 64203 → ddi-tcp-1(8888)
> [ACK] Seq=2386 Ack=57671 Win=269568
> Len=1
- > 32469 1536.734583 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] ddi-tcp-1(8888) →
> 64203 [ACK] Seq=57671 Ack=2387
> Win=2158848 Len=0 SLE=2386 SRE=2387
- > 32470 1537.812217 code.yengo.com code.yengo.com TCP 56 64306
> → ddi-tcp-1(8888) [SYN] Seq=0
> Win=65535 Len=0 MSS=65495 WS=256
> SACK_PERM
- > 32471 1537.812345 code.yengo.com code.yengo.com TCP 56 ddi-tcp-1(8888)
> → 64306 [SYN, ACK] Seq=0 Ack=1
> Win=65535 Len=0 MSS=65495 WS=256
> SACK_PERM
- > 32472 1537.812425 code.yengo.com code.yengo.com TCP 44 64306
> → ddi-tcp-1(8888) [ACK] Seq=1 Ack=1
> Win=2161152 Len=0
- > 32473 1537.813055 code.yengo.com code.yengo.com HTTP 326 CONNECT
> functional.events.data.microsoft.com:443
> HTTP/1.1
- > 32474 1537.813110 code.yengo.com code.yengo.com TCP 44 ddi-tcp-1(8888)
> → 64306 [ACK] Seq=1 Ack=283
> Win=2160896 Len=0
- > 32475 1537.813826 code.yengo.com code.yengo.com TCP 191 ddi-tcp-1(8888)
> → 64306 [PSH, ACK] Seq=1 Ack=283
> Win=2160896 Len=147 [TCP segment of a
> reassembled PDU]
- > 32476 1537.813870 code.yengo.com code.yengo.com TCP 44 64306
> → ddi-tcp-1(8888) [ACK] Seq=283
> Ack=148 Win=2161152 Len=0
- > 32477 1537.814517 code.yengo.com code.yengo.com TCP 570 ddi-tcp-1(8888)
> → 64306 [PSH, ACK] Seq=148 Ack=283
> Win=2160896 Len=526 [TCP segment of a
> reassembled PDU]
- > 32478 1537.814559 code.yengo.com code.yengo.com TCP 44 64306
> → ddi-tcp-1(8888) [ACK] Seq=283
> Ack=674 Win=2160640 Len=0
- > 32479 1537.814613 code.yengo.com code.yengo.com HTTP 44 HTTP/1.1
> 407 Proxy Auth Required (text/html)
- > 32480 1537.814644 code.yengo.com code.yengo.com TCP 44 64306
> → ddi-tcp-1(8888) [ACK] Seq=283
> Ack=675 Win=2160640 Len=0 - > 32481 1537.816101 code.yengo.com code.yengo.com TCP 44 64306
> → ddi-tcp-1(8888) [FIN, ACK] Seq=283
> Ack=675 Win=2160640 Len=0
- > 32482 1537.816199 code.yengo.com code.yengo.com TCP 44 ddi-tcp-1(8888)
> → 64306 [ACK] Seq=675 Ack=284
> Win=2160896 Len=0
- > 32483 1537.911260 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 51396 → 27060 [ACK] Seq=1
> Ack=1 Win=8442 Len=1
- > 32484 1537.911305 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] 27060 → 51396 [ACK]
> Seq=1 Ack=2 Win=8439 Len=0 SLE=1 SRE=2
- > 32485 1538.668718 code.yengo.com code.yengo.com TCP 45 [TCP
> Keep-Alive] 64221 → ddi-tcp-1(8888)
> [ACK] Seq=2679 Ack=228028 Win=2134784
> Len=1
- > 32486 1538.668761 code.yengo.com code.yengo.com TCP 56 [TCP
> Keep-Alive ACK] ddi-tcp-1(8888) →
> 64221 [ACK] Seq=228028 Ack=2680
> Win=2158592 Len=0 SLE=2679 SRE=2680
If you made it this far, im polluted by cert errors with# Result Protocol Host URL Body Caching Content-Type Process Comments Custom
27981 407 HTTP Tunnel to cache9-iad1.steamcontent.com:443 526 text/html steam:3588
P.S. my wife thinks im losing my marbles over silly computers :) hence the call for help.
Thank you very very much for simply reading.
