Trying to investigate a url serving malware, creating domains on the fly

I search google for “honda firmware dump”, and starting on page 2-3, several results start showing for urls which have domain ending in (.it). I want to uncover what kind of malware is getting served if any, or whether its just ad tracking. The fishy thing for me is, that if i visit any of these urls, starting from the google search result link, and a new private browser window, it will redirect to a new domain each visit, and each of these new domains is getting created/registered on the fly in real time, because whois search shows registered date same day as visit (today). For example:
Google search result of:

when clicked from the google search result link:

will redirect to a domain that was just registered same day of visit, and append params to the url which send some data, which i am worried could be info on what os/browser to exploit, similar to what nsa is known to do:
hXXps://section72quietspeed(.)live/tnhxiaix/?u=tqck80z&o=zdqr96x&t=trafback&cid=1evqsidf70p70&f=1&sid=t4~p35dtet2005dffg5v3i3bny3&fp=4HY03UMz4xihwwSxgWzHv3%2BFvsCeTeczYyN9Nej1D9 + a bunch more encoded characters

I ran an report on the link, and showed some malicious activity, would be curious to know what it does:

Virustotal doesnt seem to follow the full redirect sequence but still found some suspicious things:

A few examples of the domains getting created on the fly, same day of visit:

What kind of actor could this be?