{"report_id":"f47aa3ba-30cf-4286-9821-0a5c8b131b01","version":6,"status":"done","tags":[],"date":"2026-03-15T04:50:57Z","url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"104.21.27.180","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"title":"$DISTORTED DISTRIBUTION","dom":{"size":0,"mime_type":"text/plain; charset=utf-8","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","dom_hash":"domhash1f07f384c75181c66badb60ab1ec770b","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"104.21.27.180","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-04-19T04:50:57Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":7,"urlquery":0,"analyzer":11}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:28Z","timestamp":1773550228,"ip_dst":{"addr":"8.8.4.4","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":39444,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)","source":"{\"timestamp\":\"2026-03-15T04:50:28.512717+0000\",\"flow_id\":1139260385419566,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":39444,\"dest_ip\":\"8.8.4.4\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2047866,\"rev\":4,\"signature\":\"ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"8.8.4.4\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":39444},\"metadata\":{\"affected_product\":[\"Any\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2022_02_07\"],\"deployment\":[\"Perimeter\"],\"former_sid\":[\"2851058\"],\"performance_impact\":[\"Low\"],\"reviewed_at\":[\"2023_10_05\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"DoH\"],\"updated_at\":[\"2023_10_05\"]}},\"tls\":{\"sni\":\"dns.google\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":789,\"bytes_toclient\":4648,\"start\":\"2026-03-15T04:50:28.483630+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41674,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.496663+0000\",\"flow_id\":1717212659873181,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41674,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41674},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":945,\"bytes_toclient\":1654,\"start\":\"2026-03-15T04:50:32.488861+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41658,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.500888+0000\",\"flow_id\":538645716563215,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41658,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41658},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":945,\"bytes_toclient\":1654,\"start\":\"2026-03-15T04:50:32.488719+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41652,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.504458+0000\",\"flow_id\":1910602152309821,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41652,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41652},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":945,\"bytes_toclient\":1654,\"start\":\"2026-03-15T04:50:32.488509+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41686,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.514717+0000\",\"flow_id\":1334264785827382,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41686,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41686},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":945,\"bytes_toclient\":2671,\"start\":\"2026-03-15T04:50:32.489014+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41704,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.519649+0000\",\"flow_id\":1532645030262644,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41704,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41704},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":789,\"bytes_toclient\":2595,\"start\":\"2026-03-15T04:50:32.489332+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-15T04:50:32Z","timestamp":1773550232,"ip_dst":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":41696,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI","source":"{\"timestamp\":\"2026-03-15T04:50:32.521822+0000\",\"flow_id\":1344725178676967,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.8\",\"src_port\":41696,\"dest_ip\":\"104.18.50.34\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062569,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare R2 Public Bucket (r2 .dev) Domain in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"source\":{\"ip\":\"104.18.50.34\",\"port\":443},\"target\":{\"ip\":\"172.18.0.8\",\"port\":41696},\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2025_05_27\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_05_27\"]}},\"tls\":{\"sni\":\"pub-14c1504681d2427684ac1f489338d075.r2.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":789,\"bytes_toclient\":2595,\"start\":\"2026-03-15T04:50:32.489191+0000\"}}"}],"analyzer":[{"sensor_name":"user_akbkyowd9geqr98","sensor_type":"yara","title":"Private YARA rules","description":"Private YARA rules","scan_date":"2026-03-15","alert":"Hunting_JS_WebAssembly","trigger":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"description":"Looking for manual construction of JS wasmCode used in exploits","rule":"Hunting_JS_WebAssembly"},"detection_meta":{"user_id":"akbkyowd9geqr98","detection_id":"01K9VTTZ58QH7V4PSKSDDP3N4H","visibility":"private"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null},"summary":[{"fqdn":"distorted-allocations.xyz","ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":16,"request_count":8,"received_data":220465,"sent_data":3734,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"secure-auth-6185.vercel.app","ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2026-03-15T04:51:09.778287Z","last_seen":"2026-03-15T04:51:09.778287Z","alert_count":0,"request_count":4,"received_data":2860734,"sent_data":2283,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Vercel","description":"Vercel is a cloud platform for static frontends and serverless functions.","website":"https://vercel.com","common_platform_enumeration":"","icon":"vercel.svg","categories":["PaaS"]}]},{"fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2022-08-23","domain_rank":0,"first_seen":"2026-02-25T03:05:04.781981Z","last_seen":"2026-03-12T20:07:07.154249Z","alert_count":8,"request_count":8,"received_data":40697176,"sent_data":3896,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"dns.google","ip":{"addr":"8.8.4.4","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"domain_registered":"2018-04-16","domain_rank":158,"first_seen":"2018-10-26T18:11:46Z","last_seen":"2026-03-12T09:01:10.186238Z","alert_count":0,"request_count":1,"received_data":806,"sent_data":519,"comment":"","tags":null,"fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":null},"javascript":{"script":[{"url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"adb5accbf3eea1a9809fe2f31a17dc51","sha1":"b5dd2e8dd5de9825a940e9b3cac200a1a3b022ac","sha256":"74f41e9217fdfb6538bad20759a5185689b15ad82280de27abe2dfc2b3c034b0","sha512":"01774b850246e42054968343c0726b2f1d81c0542a03f7cf26952862207dc1517e01bd321ce411cbbb8342b1a41c6191076139e4d6ec8a058ae1753a4c36cbeb","ssdeep":"","tlshash":"dc71282ce9b41cb3104ab07908be5247b570955b0d2a3d35bd4c829c5f0ee6e61be7e9","size":3587,"data":"","first_seen":"2024-08-19T21:41:20.669609Z","last_seen":"2026-05-06T23:47:35.269243Z","times_seen":366,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/particles.min.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":false,"md5":"00debcf6cf0789a19cee2278011afcd4","sha1":"8017f8b1869077db728573f1ca4684a00af69462","sha256":"faee7815a5fd27e938d1e01c8392b66332024908eb118048f608eee671371df6","sha512":"29e7f9b1cee07d369c47b4d929e95cad1b35e62a5fefeb7e9fb661ea628d25b996fbf4517425bd9f07cb9f8617d2cda73ba2afe58d8286a8086a4682e8f5b4f4","ssdeep":"384:NkfJtGvWjT6uYvqhCz8wSEHESxtVAFPQcYpeib+9rOEKXWd/:NC7T6uYvn8wRxwyryVOEKXW5","tlshash":"61a2934d23f73e77378ab2e09be9d122c774a4d1399b04b0f93c667da52549201ee7a0","size":23364,"data":"","first_seen":"2023-03-07T01:16:44Z","last_seen":"2026-06-13T15:22:40.998432Z","times_seen":5060,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/noir.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":false,"md5":"289801c57972a385666ed2f315ae22c7","sha1":"f29a45f7d50d247bdeb02e33ca1a0c3c855412fb","sha256":"54350298783277d926d7187ce8819dae9d608fc4f8475820f5d6c1f148ba59d8","sha512":"aaa80277f5d71cc4ef0f25d53056d5cbf59e4ad948c5e8c84cb7e9af86c36e6e634e7b8888ac829a0c75dc640db8d9450aaf10bfaaaeb4ee33bf377e421a9ec7","ssdeep":"768:L7P/CqN0Xs0HoBI/Y8q9lGj//Azm/g89Xn5aPrrY:L7P/CqN0Xs0Ia/YZ9lM/oVKXncTc","tlshash":"7ac21a6bce8f3d90cb251e1623ee1cc50a1d5b8a74e348cd960eb7c9815f57a44cc6e9","size":27887,"data":"","first_seen":"2026-03-10T18:24:09.1258Z","last_seen":"2026-03-15T05:04:28.125277Z","times_seen":4,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"eval","is_inline":false,"md5":"6a28e6e7d52442c61165355fce43951f","sha1":"51e6a29c3eacea74582f2b4e6753f1f823f92eb8","sha256":"d77635aa9b56de4d38c9791aafffd59a3250996b7f239cf03cf1a19d1ea491b9","sha512":"3e4e0806320addfd88c38f05f60416ddff9506d6ebc7d06254881ca8765289142eb7d3519fa3f6a6125c28d1bc4a5c3adacbf73e97a366a5937a494f707a1a4c","ssdeep":"192:EQurpriQeXQIdCpqO4D4ogfoiY+0dhNPnsEsC32pf7kuqGZvkpSFVBbNtqq8jcTh:XuqDCpJwskwkEZxtN+NH6R+4n","tlshash":"9c92e88ebf93123b66a3616e2bafa25c717650031509cd34bdbd93002f909b51276bfd","size":20833,"data":"","first_seen":"2026-03-10T18:24:09.140197Z","last_seen":"2026-03-15T05:04:28.172089Z","times_seen":4,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"fe9e12635737435569920e8c9f1bf08a","sha1":"67dfce43e5d38db27fb5833049b88a85fedfdada","sha256":"2eed2188fae3ab40ff9a595f9c582ac43397396d787d1d8962ad8a3f6ad2eb6f","sha512":"c6e08f1004d458369b0af38a810945da98ec9b053948daa384b4571b3b4f944729476826440e6bd73f71f6215839027816d77d6cb39885dc6f9cf59a9d28b558","ssdeep":"","tlshash":"7ce07d54be1881e20be70929521d8382f52289520d95c0d614abd7cc433ce1f0a13e6a","size":321,"data":"","first_seen":"2026-03-15T01:38:23.796968Z","last_seen":"2026-04-21T17:37:09.666219Z","times_seen":20,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"aca93cdf493b34b80819c852d1c467c9","sha1":"7ce2fc123070796d4f10168ec57c88838acf6842","sha256":"ce543b15c87b3f673543955065a7342de96508a65ff8823a49e43f549f70eea4","sha512":"9e130e92a8d238303ee45d007fd84c9c18a3d20081163422525e4415f9bd9456d75077919efdaa2732fa21a0cc126bcf9eab2b7c180fccd06b484a7cbb30f2c6","ssdeep":"","tlshash":"1ac012072045057518618554db236648bc1320bf2a11d155ab34959a1f705dbc3bba9e","size":187,"data":"","first_seen":"2026-03-15T04:51:17.548202Z","last_seen":"2026-03-15T04:51:17.548202Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/snowflakes.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":false,"md5":"4a492afe47e2af6e5f5cc87512db9b62","sha1":"47e1342d2e705c3fd5c917ac47d6c4ca6677ede2","sha256":"d63054d0d07b0e61e0f1e5a3ea8670fbe0f2eae377913603a043f03d1cb3252c","sha512":"4c14d1e90c11f74d16c28834f2ce68ee4acaee657f5d4bb7e7dc13def8018a5e540913481f757adb6d45187a306db0e7a4fd1a26f7dfa01253aa9f19053c56f9","ssdeep":"","tlshash":"08510d4860a23828157f631d7ad2988ce5302027be014d7ebeae42635f71c4cdc98dfd","size":2457,"data":"","first_seen":"2025-08-31T03:13:37.754782Z","last_seen":"2026-05-01T15:06:22.864567Z","times_seen":342,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"a79e3d17f4c1eea29ee18c61f050086f","sha1":"d62b9e56330e810cc3f8efc8f769896c41d68a9e","sha256":"fade746a4d7364cbf6d665ddc6c1463f2a51a57d9f73bdb754e92232c87b00b2","sha512":"f4d732f26a32db95d39db6fa0f0dd27c217bf833b7b7e0453fef24f3ac3f3c523c0c325618446c888dd05aa810751c07ee7ec53bbbbbecd92c3044f806ee4212","ssdeep":"49152:f4+xtaUFAYp8Su3ilTYDMsvpXrdVCiG/NdUgmS9UT9bCWCawOJGSH17129hBpWLO:DxuitgJCWCawOJi","tlshash":"2fd56cb073b1707907e792d454a71100f234a44a700984bcfbec95e7af9aaca957bf78","size":2851745,"data":"","first_seen":"2026-03-15T04:51:17.550784Z","last_seen":"2026-03-15T05:04:28.180388Z","times_seen":2,"alerts":{"ids":null,"analyzer":[{"sensor_name":"user_akbkyowd9geqr98","sensor_type":"yara","title":"Private YARA rules","description":"Private YARA rules","scan_date":"2026-03-15","alert":"Hunting_JS_WebAssembly","trigger":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"description":"Looking for manual construction of JS wasmCode used in exploits","rule":"Hunting_JS_WebAssembly"},"detection_meta":{"user_id":"akbkyowd9geqr98","detection_id":"01K9VTTZ58QH7V4PSKSDDP3N4H","visibility":"private"}}],"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"distorted-allocations.xyz/","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-03-15T04:50:27.477Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:27 GMT\r\ncontent-type: text/html\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=PfZX6JIrYKY%2BVn2p6bxv2LZ0K3ssUompYpeCSVoWr%2FC4FVKSt0Xj8HKiZcykNaOeJvg6aLv2DEEWR45aRyau0hi%2BKFYEtBl0rOz1C48e2UpG8Uqjpuxvsh8%3D\"}]}\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\nvary: accept-encoding\r\ncontent-encoding: br\r\ncf-ray: 9dc8e5ba5aa0120a-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":101442,"size_decoded":0,"mime_type":"text/html","magic":"HTML document, ASCII text, with very long lines (62158)","md5":"26d63e7b041a3b4ac9494a21d112f2e0","sha1":"8429096ffdec4a6f07162ce38e0fbc5d7ba433b5","sha256":"09cb31e54801f99ea328bdbec6ca38f28366a2271c7cd653e0c5e451ff8bb561","sha512":"c5468d60d97a16d234310f36a89584b74b596ac01970b93e70996639d7037d3e27c68955dd2b567c35f67ba569a81940e2074d3c5adaeb9a9f9bd9da5a9a7ddc","ssdeep":"1536:NzjBRvb7zj9VckyxvxE4Z5hMcR239kPJdM9Nt3ZrPLaZYq:N3P0/TMT39kBMt35PLS","tlshash":"53a3806a4c5cab4e33321c2ecf13243e6e8665eeb60995df388f74ecc7664149665ce0","first_seen":"2026-03-15T04:51:17.517603Z","last_seen":"2026-03-15T05:04:28.119444Z","times_seen":2,"resource_available":false,"data":null}},"time_used":429,"timings":{"blocked":95,"dns":77,"connect":1,"send":0,"wait":235,"receive":0,"ssl":18},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/particles.min.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.001Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /particles.min.js HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: application/javascript\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: W/\"69b1e56a-5b44\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\ncontent-encoding: gzip\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\nvary: accept-encoding\r\npriority: u=3,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=nDKnfuPhTjLrmyaazEmzWp2OWWX61rFG1ZujgePXwgFJYUasaD481DxAqGsqSSlUoBzOJN77%2FDGRQg%2FIlH7L1CJECva4UNP03UtbVE%2FacYtNhfSDn92hKOQ%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bce891b1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":23364,"size_decoded":0,"mime_type":"application/javascript","magic":"ASCII text, with very long lines (23002)","md5":"00debcf6cf0789a19cee2278011afcd4","sha1":"8017f8b1869077db728573f1ca4684a00af69462","sha256":"faee7815a5fd27e938d1e01c8392b66332024908eb118048f608eee671371df6","sha512":"29e7f9b1cee07d369c47b4d929e95cad1b35e62a5fefeb7e9fb661ea628d25b996fbf4517425bd9f07cb9f8617d2cda73ba2afe58d8286a8086a4682e8f5b4f4","ssdeep":"384:NkfJtGvWjT6uYvqhCz8wSEHESxtVAFPQcYpeib+9rOEKXWd/:NC7T6uYvn8wRxwyryVOEKXW5","tlshash":"61a2934d23f73e77378ab2e09be9d122c774a4d1399b04b0f93c667da52549201ee7a0","first_seen":"2023-03-07T01:16:44Z","last_seen":"2026-06-13T15:22:40.998432Z","times_seen":5060,"resource_available":true,"data":null}},"time_used":232,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":231,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"subdocument","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.842Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.vercel.app","organization":""},"issuer":{"commonName":"WR1","organization":"Google Trust Services"},"validity":{"start":"Thu, 26 Feb 2026 06:28:03 GMT","end":"Wed, 27 May 2026 06:28:02 GMT"},"fingerprint":{"sha1":"D6:62:1A:52:B7:FD:F6:BB:FA:AC:01:9E:BB:CD:40:86:5F:04:95:51","sha256":"4B:37:7D:7D:8E:17:70:BB:E1:51:9B:58:96:24:6C:11:6A:B3:AE:A9:68:43:46:58:B3:30:F0:54:F7:EA:43:38"}}},"request":{"raw":"GET /demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F HTTP/1.1\r\nHost: secure-auth-6185.vercel.app\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: iframe\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-headers: *\r\naccess-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS\r\naccess-control-allow-origin: *\r\nage: 0\r\ncache-control: public, max-age=0, must-revalidate\r\ncontent-encoding: br\r\ncontent-type: text/html; charset=utf-8\r\ndate: Sun, 15 Mar 2026 04:50:30 GMT\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=oulPwgGMfHSDY9mFAEbARhQC3FBv4HKZS0aPi3WkRyGE%2FozjdJ4ZYiiyBW2c79oEp8PUC6TOFGHkNYtI4OjyjnnsKaxJum%2BDSsSzr9407BhKavp7gCntYh5WRV45rkpfY%2B8tAg%3D%3D\"}]}\r\nserver: Vercel\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\nvary: Origin,Accept-Encoding\r\nx-ratelimit-limit: 60\r\nx-ratelimit-remaining: 59\r\nx-ratelimit-reset: 60\r\nx-vercel-cache: MISS\r\nx-vercel-id: arn1::arn1::4cjtr-1773550228935-f1183a2d8329\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Vercel","description":"Vercel is a cloud platform for static frontends and serverless functions.","website":"https://vercel.com","common_platform_enumeration":"","icon":"vercel.svg","categories":["PaaS"]}],"data":{"size":2855955,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (33714)","md5":"9f1305b088e857e1632898f23cf7026c","sha1":"100fb5e6490fbf5a7eba7815c0a1a1dc56737bab","sha256":"adf387c3344c9f9162b5f68898668c7b3d2b75b3509fbf40ea2fd3433d36a591","sha512":"18095929fe79515fb197fda0ca22d39a77a17c57187b1aa47eba8f49c24408a518a38358f089188b0e51b7577f6bfbc8cbf09f5b5fc8370d665d4fb8a92211b1","ssdeep":"12288:A44LZxNuaZYNUIFPfLUlKY4Ue+jFy1rq6c5249AZQmYN8Ge5CK3i/R0u4gpJE:A4cZxtaUFBE1r5c52aAZSu3iZ0uTJE","tlshash":"a5256cb073a1b07a03eb92d594661100f334941a700d84acfbaca9eb6f959cf957bf35","first_seen":"2026-03-15T04:51:17.521394Z","last_seen":"2026-03-15T04:51:17.521394Z","times_seen":1,"resource_available":false,"data":null}},"time_used":177,"timings":{"blocked":88,"dns":20,"connect":16,"send":0,"wait":11,"receive":0,"ssl":35},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-desktop.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.458Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /phantom-bypass1-desktop.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 2031700\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"a22dc9face81ff1665651f1052a0a99f\"\r\nLast-Modified: Fri, 23 Jan 2026 22:55:18 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d97df98be6-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":2031700,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"37d621b0888b9c9acaadc1142424a21c","sha1":"cbb67a69d5c908ed0643897721984ff71bf7a0d8","sha256":"b69becaf20ae2c964f0068c915b5d036da7dc363b1ea662f069f53f647706314","sha512":"474aad76d233471363cdabd9efc14cc91b32e291fc0e70d5bac4f9e5e20c36399f05f2f099795fa60cc9a7147632933594604474935b1e73923115ea8eaf7391","ssdeep":"24576:/2TAaRkFipRWRSlpAzUWOsWWvbLqhDVtxB6Ewq4zG:ZhZv4JsZDL8Da1a","tlshash":"e925333bc65d46417aa900115b2162708d3368ac58ffe63383edde72d78ba3c7d643a9","first_seen":"2026-03-08T18:49:18.127937Z","last_seen":"2026-06-01T09:54:50.06681Z","times_seen":62,"resource_available":false,"data":null}},"time_used":569,"timings":{"blocked":92,"dns":35,"connect":1,"send":0,"wait":94,"receive":286,"ssl":56},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/snowflakes.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:27.994Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /snowflakes.js HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: application/javascript\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: W/\"69b1e56a-999\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\ncontent-encoding: gzip\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\nvary: accept-encoding\r\npriority: u=2,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=pouoatorCj3eSBtF2nBSCHar9caPsL8c8Mzf2FvN6NqhKTiJSaZavu05a8baEoa5jyX5wfNL%2Bpu1IlBPhsEEX2dxkwMzYOg1ThuCG59K1qIa5F0cMqhmjbM%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bce882b1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":2457,"size_decoded":0,"mime_type":"application/javascript","magic":"JavaScript source, ASCII text, with CRLF line terminators","md5":"4a492afe47e2af6e5f5cc87512db9b62","sha1":"47e1342d2e705c3fd5c917ac47d6c4ca6677ede2","sha256":"d63054d0d07b0e61e0f1e5a3ea8670fbe0f2eae377913603a043f03d1cb3252c","sha512":"4c14d1e90c11f74d16c28834f2ce68ee4acaee657f5d4bb7e7dc13def8018a5e540913481f757adb6d45187a306db0e7a4fd1a26f7dfa01253aa9f19053c56f9","ssdeep":"","tlshash":"08510d4860a23828157f631d7ad2988ce5302027be014d7ebeae42635f71c4cdc98dfd","first_seen":"2025-08-31T03:13:37.754782Z","last_seen":"2026-05-01T15:06:22.864567Z","times_seen":342,"resource_available":true,"data":null}},"time_used":215,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":215,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/119246100adcd76322fde730b9f8859e.txt","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"subdocument","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.444Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /119246100adcd76322fde730b9f8859e.txt HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: iframe\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: text/plain\r\ncontent-length: 0\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: \"69b1e56a-0\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\naccept-ranges: bytes\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\npriority: u=4,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=%2FJSofIRPZCKtRy23W5hr8sJ9gITHHC0APO6jRpldCXq8FnhpuYFA0XegX6gupCWPtDoS1chon5bBPBnGx5n0yXYDreHZb1AR7XxKJUtAJ6mWjszyrxJ8a0Y%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bfcd5db1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":0,"size_decoded":0,"mime_type":"text/plain","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-06-13T18:33:32.683565Z","times_seen":16393053,"resource_available":true,"data":null}},"time_used":213,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":213,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-desktop.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.461Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /phantom-bypass2-desktop.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 3967947\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"5a6a3867cbfe36845cfc495e5ca7f0ea\"\r\nLast-Modified: Fri, 23 Jan 2026 15:05:42 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d97f2b2678-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":3967947,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"d93576ba91ca34c6a838ecb0a2007171","sha1":"c4e5bde21d173bd4fcd9129fbdbde6222c276da2","sha256":"bd3b1e09eca059acc8e0bbb505184eb2e25f7d41b27842fc776734881d4742df","sha512":"1757d06e3d6fcf45d5a48f8f6339866791fe4add35e57b447144d7b3bc7c7b25a851adda4b4abfdadc8dc7134f21016a79f7405bb79e50115dce6a8c93a59ef6","ssdeep":"24576:avufiMHLszpYKMLHl4XSjC3h+NeQo3QSlw:oFMHLsMl/CzsAw","tlshash":"db2523ae806d4dc1229501a12516783c14a5a07e8df2bc3db5a8df8dc29ff7b9ce90f5","first_seen":"2026-03-07T01:35:12.450999Z","last_seen":"2026-06-01T09:54:50.000032Z","times_seen":63,"resource_available":false,"data":null}},"time_used":838,"timings":{"blocked":91,"dns":34,"connect":1,"send":0,"wait":94,"receive":555,"ssl":51},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-mobile.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.465Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /solflare-bypass1-mobile.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 6028322\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"cf5ac8fca45e5d0409fef8923c179975\"\r\nLast-Modified: Fri, 23 Jan 2026 22:54:15 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d97e072efa-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":6028322,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"702758821d82f5549c2922f81710886f","sha1":"f318b7afd08f139ed22ac505130fc66efcc40962","sha256":"8b093466588a613d01fdfa9d301866c5a064d3f7e8b8d0105c6b3df4972c15bb","sha512":"27b892bfafa582e0d5b19eb7d7c7e714c468c58aecb3bc69f81b37b273f9222cb302f34045e4bfb3d436e6be55a3fa54b223cd6f801045bed2a8ba6dc3c41c90","ssdeep":"24576:WKS1/OBbi61/Vvx5qYONFC9VGM60S15tk+ebyMyRfMdlE:38h+tvxpOXC9VBTOFR0dS","tlshash":"412533b9b82a3481eb0179507d6f2522a9f7746f487b7f734354fa2363eae85d2c1018","first_seen":"2026-03-08T18:49:18.14445Z","last_seen":"2026-06-01T09:54:50.017658Z","times_seen":62,"resource_available":false,"data":null}},"time_used":1004,"timings":{"blocked":92,"dns":32,"connect":19,"send":0,"wait":134,"receive":678,"ssl":37},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-mobile.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.466Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /solflare-bypass2-mobile.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:33 GMT\r\nContent-Type: image/gif\r\nContent-Length: 8319275\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"ffdbd9550fb16af66a8cf7717da03833\"\r\nLast-Modified: Fri, 23 Jan 2026 22:07:07 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5dbd9d28be6-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":8319275,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"c7f02284ef4c6c534add4f4cf923bd2e","sha1":"a8a1b5efc7188d57767b8c10dd21a5bdaba1aa4d","sha256":"ec27d89fbe8d16080062e2d897533f7eb588857b3955dfd53a7d5d240121bc2a","sha512":"7821407b7deebbbd4ded8b8d19129e39ca67ca223f89605a6491de9e2b3344d9b3598bf0561f71ee60690509852fe5534812d49fd9e4caa5953bc2035f08b73b","ssdeep":"24576:bDYQNB1s7x5nT9wysI0jlfn8CUBJRzdUkkIrCfh2SA8RMT0Y:bDYCBsTqTjl0TBLWLZ2SA840Y","tlshash":"0925336db03d9653ebaf30223e5a13c0aedb901c8dbd3e213384ad21875b5ed1d6865d","first_seen":"2026-03-07T00:53:06.700379Z","last_seen":"2026-06-01T09:54:50.069305Z","times_seen":64,"resource_available":false,"data":null}},"time_used":1520,"timings":{"blocked":464,"dns":0,"connect":0,"send":0,"wait":89,"receive":967,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-desktop.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.466Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /solflare-bypass2-desktop.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 8319275\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"ffdbd9550fb16af66a8cf7717da03833\"\r\nLast-Modified: Fri, 23 Jan 2026 22:06:40 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5db7dba723c-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":8319275,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"c7f02284ef4c6c534add4f4cf923bd2e","sha1":"a8a1b5efc7188d57767b8c10dd21a5bdaba1aa4d","sha256":"ec27d89fbe8d16080062e2d897533f7eb588857b3955dfd53a7d5d240121bc2a","sha512":"7821407b7deebbbd4ded8b8d19129e39ca67ca223f89605a6491de9e2b3344d9b3598bf0561f71ee60690509852fe5534812d49fd9e4caa5953bc2035f08b73b","ssdeep":"24576:bDYQNB1s7x5nT9wysI0jlfn8CUBJRzdUkkIrCfh2SA8RMT0Y:bDYCBsTqTjl0TBLWLZ2SA840Y","tlshash":"0925336db03d9653ebaf30223e5a13c0aedb901c8dbd3e213384ad21875b5ed1d6865d","first_seen":"2026-03-07T00:53:06.700379Z","last_seen":"2026-06-01T09:54:50.069305Z","times_seen":64,"resource_available":false,"data":null}},"time_used":1308,"timings":{"blocked":410,"dns":0,"connect":0,"send":0,"wait":80,"receive":818,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass2-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/logo.jpg","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.000Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /logo.jpg HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: image/jpeg\r\ncontent-length: 28065\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: \"69b1e56a-6da1\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\naccept-ranges: bytes\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\npriority: u=4,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=QtCMpBVY3P3XH4TAvTNjL4f6%2BHPGuBi%2F4DbMnA%2BOUNLdkfT3EB9Pdszbs89mayt%2F3AK%2FerKnMH0yPLM1Aln%2BN0TLdA8XcwZqTMzqfhXjNIrGKgLY67dsiTs%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bce88bb1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":28065,"size_decoded":0,"mime_type":"image/jpeg","magic":"JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=paint.net 5.0.3], baseline, precision 8, 400x400, components 3","md5":"46841d6ebf2589e90367460e4af5ecb4","sha1":"3f84918d75385a3bb12d251d375f39bb3b060190","sha256":"81e88487ee58e2a539ceace54d790d71f39905f4d9f26f727c919ae9987b7ca6","sha512":"cf9dd85ae523712d219c7ea8ecb442210dccc4cd23b85041ad78d794e75e71cbc6d7c8a630d770f96a9f3485e021da4164ef7b27c18b2fee2f9d5feb3d6a196e","ssdeep":"384:CkJqZOPbo7vgPcOcL+ZhYxz9LppDlxtJ+Hp2Ui9EgrwW8nHPqjZKZLKWml3vPekY:fgV7oPcqSNjcu9EgEzsZ/rpXeF","tlshash":"d3c2cfdad9cd197accc22979d0000ae7cbb12e29e1f597a1187b157f0eb440e75e227c","first_seen":"2026-03-15T04:51:17.529042Z","last_seen":"2026-03-15T05:04:28.143291Z","times_seen":2,"resource_available":false,"data":null}},"time_used":241,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":203,"receive":38,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null},{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/logo.jpg","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.557Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /logo.jpg HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: image/jpeg\r\ncontent-length: 28065\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: \"69b1e56a-6da1\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\naccept-ranges: bytes\r\nage: 0\r\ncache-control: max-age=2592000\r\ncf-cache-status: HIT\r\npriority: u=6,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=T8xybwAguZeuPCkd7AINp8%2BAZzHn3mO6ai0hsgBetoZFUsz1IVbraF4rqDFTNFo53ptBScah6BpLE9Z%2BoM7uY%2BJuRB0NGsmPOV3XT8rwzLRlxPEhldNjWWA%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5c07e98b1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]},{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":28065,"size_decoded":0,"mime_type":"image/jpeg","magic":"JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=paint.net 5.0.3], baseline, precision 8, 400x400, components 3","md5":"46841d6ebf2589e90367460e4af5ecb4","sha1":"3f84918d75385a3bb12d251d375f39bb3b060190","sha256":"81e88487ee58e2a539ceace54d790d71f39905f4d9f26f727c919ae9987b7ca6","sha512":"cf9dd85ae523712d219c7ea8ecb442210dccc4cd23b85041ad78d794e75e71cbc6d7c8a630d770f96a9f3485e021da4164ef7b27c18b2fee2f9d5feb3d6a196e","ssdeep":"384:CkJqZOPbo7vgPcOcL+ZhYxz9LppDlxtJ+Hp2Ui9EgrwW8nHPqjZKZLKWml3vPekY:fgV7oPcqSNjcu9EgEzsZ/rpXeF","tlshash":"d3c2cfdad9cd197accc22979d0000ae7cbb12e29e1f597a1187b157f0eb440e75e227c","first_seen":"2026-03-15T04:51:17.529042Z","last_seen":"2026-03-15T05:04:28.143291Z","times_seen":2,"resource_available":false,"data":null}},"time_used":7,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":5,"receive":2,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/api/v2/handshake","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.053Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.vercel.app","organization":""},"issuer":{"commonName":"WR1","organization":"Google Trust Services"},"validity":{"start":"Thu, 26 Feb 2026 06:28:03 GMT","end":"Wed, 27 May 2026 06:28:02 GMT"},"fingerprint":{"sha1":"D6:62:1A:52:B7:FD:F6:BB:FA:AC:01:9E:BB:CD:40:86:5F:04:95:51","sha256":"4B:37:7D:7D:8E:17:70:BB:E1:51:9B:58:96:24:6C:11:6A:B3:AE:A9:68:43:46:58:B3:30:F0:54:F7:EA:43:38"}}},"request":{"raw":"POST /api/v2/handshake HTTP/1.1\r\nHost: secure-auth-6185.vercel.app\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/octet-stream\r\nContent-Length: 71\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"POST"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-headers: *\r\naccess-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=0, must-revalidate\r\ncontent-encoding: br\r\ncontent-type: application/octet-stream\r\ndate: Sun, 15 Mar 2026 04:50:32 GMT\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=zgUbFqxNI0JbCENjm6GrUKQO7XpGJu8ElBcd1nTcvU2drIZjpgrYoIykOIRAAPQbOdnvpDO%2BAXsYtVCXfO3%2Bi8a0VMojZlQWgxYRw2GA2I4OzSeFt%2BGEkL7voDiyfRRWlKcQZQ%3D%3D\"}]}\r\nserver: Vercel\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\nvary: Origin\r\nx-session-id: 74e28494cbba7eb1b8c45e4b8ec8fd6a\r\nx-vercel-cache: MISS\r\nx-vercel-id: arn1::arn1::2d2s7-1773550232060-5f0b9b7f4bba\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Vercel","description":"Vercel is a cloud platform for static frontends and serverless functions.","website":"https://vercel.com","common_platform_enumeration":"","icon":"vercel.svg","categories":["PaaS"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":80,"size_decoded":0,"mime_type":"application/octet-stream","magic":"data","md5":"93fc1b2fe5b4df43b0ea3664f1c2a58e","sha1":"08fbdb20125519e0d033e78151c0e718c74205fd","sha256":"d34049fe7cbb8ff11feaab7ab39356d4d0b1eeeb3d606522cbcf3c23d4f00fce","sha512":"f6423ceb09c6e47c3af22dd6ee23ebd475f5dd754bf7f62af48336bdf6c115bc04adedc66fdf235ef28278181e50d7df4312bf566fa973986ff62d2c4af82a2e","ssdeep":"","tlshash":"9ca024c3305c3447c3515c34df40044001133c70373c54f5054c304330540350111441","first_seen":"2026-03-15T04:51:17.531271Z","last_seen":"2026-03-15T04:51:17.531271Z","times_seen":1,"resource_available":false,"data":null}},"time_used":118,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":118,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/api/v2/binary","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.299Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.vercel.app","organization":""},"issuer":{"commonName":"WR1","organization":"Google Trust Services"},"validity":{"start":"Thu, 26 Feb 2026 06:28:03 GMT","end":"Wed, 27 May 2026 06:28:02 GMT"},"fingerprint":{"sha1":"D6:62:1A:52:B7:FD:F6:BB:FA:AC:01:9E:BB:CD:40:86:5F:04:95:51","sha256":"4B:37:7D:7D:8E:17:70:BB:E1:51:9B:58:96:24:6C:11:6A:B3:AE:A9:68:43:46:58:B3:30:F0:54:F7:EA:43:38"}}},"request":{"raw":"POST /api/v2/binary HTTP/1.1\r\nHost: secure-auth-6185.vercel.app\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/octet-stream\r\nX-Session-Id: 74e28494cbba7eb1b8c45e4b8ec8fd6a\r\nX-Config-Id: 69addbedacd7bd42deda01da\r\nContent-Length: 99\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"POST"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-headers: *\r\naccess-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=0, must-revalidate\r\ncontent-encoding: br\r\ncontent-type: application/octet-stream\r\ndate: Sun, 15 Mar 2026 04:50:32 GMT\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=HKBNLMe6cxVI4KlF8G%2BGAXGUoN2OigqE%2Bi6Xp8B6eX8P9xVUYjaVpwQVDoUHmAD24m%2BOnOpv8FU72UyM9tontNfhZISY6TnbWcKUWJu9I8PgCgyi4YcBX%2F9AcYOetIKuVBUaRQ%3D%3D\"}]}\r\nserver: Vercel\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\nvary: Origin,Accept-Encoding\r\nx-vercel-cache: MISS\r\nx-vercel-id: arn1::arn1::2d2s7-1773550232305-3cadc453b0f4\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Vercel","description":"Vercel is a cloud platform for static frontends and serverless functions.","website":"https://vercel.com","common_platform_enumeration":"","icon":"vercel.svg","categories":["PaaS"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":1123,"size_decoded":0,"mime_type":"application/octet-stream","magic":"data","md5":"f1fe8a570c9d602374b0e6b6e1d91a25","sha1":"738994709a4eca30284506bd1e512180de2b2d56","sha256":"c98efc636e4be0668f944b5821dfe18f881ba5b72357492e9e9b7744ffed75ba","sha512":"d23bbc04bd1c15d4086bfc0636000f80a23d813720732ba302a61e77ef265571d2becfc7a28d353f5f0244f76727f0e34275df8bc69bf5901b19748308e72fa0","ssdeep":"","tlshash":"e521a3b02025efbafee9a5bd4ce0193513bc43500a276e83ca0492fdab1218528805b4","first_seen":"2026-03-15T04:51:17.53413Z","last_seen":"2026-03-15T04:51:17.53413Z","times_seen":1,"resource_available":false,"data":null}},"time_used":116,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":116,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-desktop.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.463Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /solflare-bypass1-desktop.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 6028322\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"cf5ac8fca45e5d0409fef8923c179975\"\r\nLast-Modified: Fri, 23 Jan 2026 22:54:30 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d979cab28a-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":6028322,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"702758821d82f5549c2922f81710886f","sha1":"f318b7afd08f139ed22ac505130fc66efcc40962","sha256":"8b093466588a613d01fdfa9d301866c5a064d3f7e8b8d0105c6b3df4972c15bb","sha512":"27b892bfafa582e0d5b19eb7d7c7e714c468c58aecb3bc69f81b37b273f9222cb302f34045e4bfb3d436e6be55a3fa54b223cd6f801045bed2a8ba6dc3c41c90","ssdeep":"24576:WKS1/OBbi61/Vvx5qYONFC9VGM60S15tk+ebyMyRfMdlE:38h+tvxpOXC9VBTOFR0dS","tlshash":"412533b9b82a3481eb0179507d6f2522a9f7746f487b7f734354fa2363eae85d2c1018","first_seen":"2026-03-08T18:49:18.14445Z","last_seen":"2026-06-01T09:54:50.017658Z","times_seen":62,"resource_available":false,"data":null}},"time_used":1108,"timings":{"blocked":91,"dns":32,"connect":19,"send":0,"wait":94,"receive":826,"ssl":36},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/solflare-bypass1-desktop.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/css2.css","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:27.999Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /css2.css HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: text/css\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: W/\"69b1e56a-756\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\ncontent-encoding: gzip\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\nvary: accept-encoding\r\npriority: u=2,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=%2BcFTrwoL60d%2BZKDhzPfOY8A7aTG1U887yKln5to0L%2BaCcHN5IF3nJoA8Bt8yO9Yo4Kx1TfPvmpNZIdBRqGq0pVqz9zcukMUPN1JZtEIFHxLBTHUse1Q5UW4%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bce889b1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":1878,"size_decoded":0,"mime_type":"text/css","magic":"ASCII text","md5":"9062a655afcc97c2d427b10f735a8aea","sha1":"b22103ec1665985589e0be5b9f5e9686461dc12f","sha256":"66489ff17cd8cbe69f7dc79d660975d2910614eda742803f69181a0ecf3bc4bd","sha512":"ab721d03c97484fcb5cef9844c74968d7bb643c1ebee2eea3a2e8129f9366306f24d0b42e6889213aa56bd28047ad42645cbc4457fc3dc681dd8e7df4d4265eb","ssdeep":"","tlshash":"89419b414c3a5104a3d32ce263ce7d31cd4ef244b045ca34bffe1859ac4ad6563a4b5c","first_seen":"2025-08-07T19:45:13.885497Z","last_seen":"2026-05-01T15:06:22.858559Z","times_seen":359,"resource_available":false,"data":null}},"time_used":216,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":216,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"distorted-allocations.xyz/noir.js","fqdn":"distorted-allocations.xyz","domain":"distorted-allocations.xyz","tld":"xyz"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.003Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"distorted-allocations.xyz","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Wed, 11 Mar 2026 19:16:10 GMT","end":"Tue, 09 Jun 2026 19:16:09 GMT"},"fingerprint":{"sha1":"A4:5E:CB:BF:3F:CF:72:13:69:9C:A2:B9:7E:24:A0:44:AC:4C:0B:9F","sha256":"D2:07:00:07:0E:F2:AF:48:5C:3B:23:0D:2B:6A:1A:E1:BB:DD:34:37:32:2A:47:4A:6A:AC:E6:11:EE:9A:A4:04"}}},"request":{"raw":"GET /noir.js HTTP/1.1\r\nHost: distorted-allocations.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://distorted-allocations.xyz/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\ncontent-type: application/javascript\r\nserver: cloudflare\r\ncast-mode: default\r\nlast-modified: Wed, 11 Mar 2026 21:58:02 GMT\r\netag: W/\"69b1e56a-6cef\"\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\ncontent-security-policy: frame-ancestors http: https:\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\nx-cast-cache: MISS\r\ncontent-encoding: gzip\r\ncache-control: max-age=2592000\r\ncf-cache-status: MISS\r\nvary: accept-encoding\r\npriority: u=3,i=?0\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=EDEvDDRuKJygF8IDwuRb75hcLegiqrdxGHC4ihkzwju1fhpwoVYg6yc6Sgbf8sEfySI5ri%2BnPf5z8O4Nwe1gzs05HMs1nOoO1EWmCuMWKeTRXzvdeB2f6%2FA%3D\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncf-ray: 9dc8e5bce893b1b8-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":27887,"size_decoded":0,"mime_type":"application/javascript","magic":"JavaScript source, ASCII text, with very long lines (27887), with no line terminators","md5":"289801c57972a385666ed2f315ae22c7","sha1":"f29a45f7d50d247bdeb02e33ca1a0c3c855412fb","sha256":"54350298783277d926d7187ce8819dae9d608fc4f8475820f5d6c1f148ba59d8","sha512":"aaa80277f5d71cc4ef0f25d53056d5cbf59e4ad948c5e8c84cb7e9af86c36e6e634e7b8888ac829a0c75dc640db8d9450aaf10bfaaaeb4ee33bf377e421a9ec7","ssdeep":"768:L7P/CqN0Xs0HoBI/Y8q9lGj//Azm/g89Xn5aPrrY:L7P/CqN0Xs0Ia/YZ9lM/oVKXncTc","tlshash":"7ac21a6bce8f3d90cb251e1623ee1cc50a1d5b8a74e348cd960eb7c9815f57a44cc6e9","first_seen":"2026-03-10T18:24:09.1258Z","last_seen":"2026-03-15T05:04:28.125277Z","times_seen":4,"resource_available":true,"data":null}},"time_used":208,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":207,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null},{"sensor_name":"dns4eu","sensor_type":"DNS","title":"DNS4EU","description":"DNS4EU","scan_date":"2026-03-15","alert":"Sinkholed","trigger":"distorted-allocations.xyz","verdict":"malicious","severity":"medium","comment":"","link":"https://www.joindns4.eu/","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"dns.google/resolve?name=_r.chrome-extension-da0e5-bc.com\u0026type=TXT","fqdn":"dns.google","domain":"dns.google","tld":"google"},"ip":{"addr":"8.8.4.4","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://distorted-allocations.xyz/","date":"2026-03-15T04:50:28.456Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"dns.google","organization":""},"issuer":{"commonName":"WR2","organization":"Google Trust Services"},"validity":{"start":"Mon, 02 Feb 2026 08:38:49 GMT","end":"Mon, 27 Apr 2026 08:38:48 GMT"},"fingerprint":{"sha1":"7B:14:9F:95:9B:62:01:0D:83:AE:13:A0:48:E7:3B:56:77:BC:5F:66","sha256":"00:25:2D:7B:8F:77:43:5E:EE:50:B0:FE:0E:63:88:A2:7E:E7:23:1D:05:50:39:E8:87:1C:4C:34:D9:40:FC:F8"}}},"request":{"raw":"GET /resolve?name=_r.chrome-extension-da0e5-bc.com\u0026type=TXT HTTP/1.1\r\nHost: dns.google\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: application/dns-json\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://distorted-allocations.xyz/\r\nOrigin: https://distorted-allocations.xyz\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nx-content-type-options: nosniff\r\nstrict-transport-security: max-age=31536000; includeSubDomains; preload\r\naccess-control-allow-origin: *\r\ndate: Sun, 15 Mar 2026 04:50:28 GMT\r\nexpires: Sun, 15 Mar 2026 04:50:28 GMT\r\ncache-control: private, max-age=60\r\ncontent-type: application/json; charset=UTF-8\r\ncontent-encoding: gzip\r\nserver: HTTP server (unknown)\r\ncontent-length: 200\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":288,"size_decoded":0,"mime_type":"application/json; charset=UTF-8","magic":"JSON text data","md5":"4c2452bf912243b194eb9e9b6569b09c","sha1":"d57210a336ade6ddf2aadb8345c87b9b126ae76c","sha256":"4694e50198fc5e22c09ebde7810c153878e4a69c89066bde3e7388fe16ce83f3","sha512":"116c7fffe16425b2546e88b7830db9f7d5fbc63ee12ef1833cb01059ed62da3267de76ece9f1e95d5b0ad970ecd62c35b480ce7e12883595e6640ce5d0a0b7ad","ssdeep":"","tlshash":"2dd07288848480acba072794c08b048adf2c22b2729cbe188b402e64e7cb244b486627","first_seen":"2026-03-15T04:51:17.539885Z","last_seen":"2026-03-15T04:51:17.539885Z","times_seen":1,"resource_available":false,"data":null}},"time_used":277,"timings":{"blocked":115,"dns":28,"connect":8,"send":0,"wait":46,"receive":0,"ssl":75},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"secure-auth-6185.vercel.app/api/v2/binary","fqdn":"secure-auth-6185.vercel.app","domain":"secure-auth-6185.vercel.app","tld":"vercel.app"},"ip":{"addr":"216.198.79.131","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.446Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.vercel.app","organization":""},"issuer":{"commonName":"WR1","organization":"Google Trust Services"},"validity":{"start":"Thu, 26 Feb 2026 06:28:03 GMT","end":"Wed, 27 May 2026 06:28:02 GMT"},"fingerprint":{"sha1":"D6:62:1A:52:B7:FD:F6:BB:FA:AC:01:9E:BB:CD:40:86:5F:04:95:51","sha256":"4B:37:7D:7D:8E:17:70:BB:E1:51:9B:58:96:24:6C:11:6A:B3:AE:A9:68:43:46:58:B3:30:F0:54:F7:EA:43:38"}}},"request":{"raw":"POST /api/v2/binary HTTP/1.1\r\nHost: secure-auth-6185.vercel.app\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/octet-stream\r\nX-Session-Id: 74e28494cbba7eb1b8c45e4b8ec8fd6a\r\nX-Config-Id: 69addbedacd7bd42deda01da\r\nContent-Length: 99\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"POST"},"response":{"raw":"HTTP/2 200 OK\r\naccess-control-allow-headers: *\r\naccess-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=0, must-revalidate\r\ncontent-encoding: br\r\ncontent-type: application/octet-stream\r\ndate: Sun, 15 Mar 2026 04:50:32 GMT\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=Q0qMbLR8UY5DpvzCwaxn5uGf8C%2FlRszimu3NRdMH8ZyTZcSdKsPgOKI4lgntRjaDL7QlhWj%2FrbAZaUQ25UzJkK2lu06T1R0Ybtjn%2FU8cNl%2FKTKKR0u5PlH3rPFyWy7eftBGk5Q%3D%3D\"}]}\r\nserver: Vercel\r\nstrict-transport-security: max-age=63072000; includeSubDomains; preload\r\nvary: Origin\r\nx-vercel-cache: MISS\r\nx-vercel-id: arn1::arn1::2d2s7-1773550232451-66b28d0e68f6\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Vercel","description":"Vercel is a cloud platform for static frontends and serverless functions.","website":"https://vercel.com","common_platform_enumeration":"","icon":"vercel.svg","categories":["PaaS"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":99,"size_decoded":0,"mime_type":"application/octet-stream","magic":"data","md5":"42afeb0aa857ea01525974e7a56b27b3","sha1":"43a791ce6e371487c4ff530f304fde5475e46ec6","sha256":"5f5e3696ab9673f024290537f003b79ff08782c52e92d96583fc6c88b7e84fb4","sha512":"99ae6b0ac22be172eda48bdeff57e3fed4372d8de5cc69f93c416831b45d7cfaa5f310e2093a648e2a8d17c2c0e1eb810d255de6012849e467f6ba6bb2751461","ssdeep":"","tlshash":"1bb012043a123a23f08538b28046300212d05017210493a636460117e88d4010ec7608","first_seen":"2026-03-15T04:51:17.542003Z","last_seen":"2026-03-15T04:51:17.542003Z","times_seen":1,"resource_available":false,"data":null}},"time_used":287,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":287,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-mobile.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.460Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /phantom-bypass1-mobile.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 2031700\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"a22dc9face81ff1665651f1052a0a99f\"\r\nLast-Modified: Fri, 23 Jan 2026 22:55:26 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d97ab7723c-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":2031700,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"37d621b0888b9c9acaadc1142424a21c","sha1":"cbb67a69d5c908ed0643897721984ff71bf7a0d8","sha256":"b69becaf20ae2c964f0068c915b5d036da7dc363b1ea662f069f53f647706314","sha512":"474aad76d233471363cdabd9efc14cc91b32e291fc0e70d5bac4f9e5e20c36399f05f2f099795fa60cc9a7147632933594604474935b1e73923115ea8eaf7391","ssdeep":"24576:/2TAaRkFipRWRSlpAzUWOsWWvbLqhDVtxB6Ewq4zG:ZhZv4JsZDL8Da1a","tlshash":"e925333bc65d46417aa900115b2162708d3368ac58ffe63383edde72d78ba3c7d643a9","first_seen":"2026-03-08T18:49:18.127937Z","last_seen":"2026-06-01T09:54:50.06681Z","times_seen":62,"resource_available":false,"data":null}},"time_used":501,"timings":{"blocked":91,"dns":34,"connect":1,"send":0,"wait":76,"receive":238,"ssl":53},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass1-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}},{"url":{"schema":"https","addr":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-mobile.gif","fqdn":"pub-14c1504681d2427684ac1f489338d075.r2.dev","domain":"pub-14c1504681d2427684ac1f489338d075.r2.dev","tld":"r2.dev"},"ip":{"addr":"104.18.50.34","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://secure-auth-6185.vercel.app/demo.php?id=69addbedacd7bd42deda01da\u0026parent_url=distorted-allocations.xyz%2F","date":"2026-03-15T04:50:32.462Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.r2.dev","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Mar 2026 07:41:58 GMT","end":"Fri, 12 Jun 2026 07:41:57 GMT"},"fingerprint":{"sha1":"C0:16:76:CB:73:59:54:FD:EE:F5:98:D9:1E:84:2C:64:5E:69:4A:C1","sha256":"EB:7F:C6:00:94:82:C3:E3:51:75:19:72:94:30:B8:60:5D:EE:9D:90:4D:0A:8E:6F:2C:9A:F7:84:10:1D:65:C5"}}},"request":{"raw":"GET /phantom-bypass2-mobile.gif HTTP/1.1\r\nHost: pub-14c1504681d2427684ac1f489338d075.r2.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://secure-auth-6185.vercel.app\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 15 Mar 2026 04:50:32 GMT\r\nContent-Type: image/gif\r\nContent-Length: 3967947\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\nAccess-Control-Allow-Origin: *\r\nETag: \"5a6a3867cbfe36845cfc495e5ca7f0ea\"\r\nLast-Modified: Fri, 23 Jan 2026 15:28:10 GMT\r\nVary: Origin\r\nServer: cloudflare\r\nCF-RAY: 9dc8e5d97ee249c5-OSL\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":3967947,"size_decoded":0,"mime_type":"image/gif","magic":"GIF image data, version 89a, 480 x 807","md5":"d93576ba91ca34c6a838ecb0a2007171","sha1":"c4e5bde21d173bd4fcd9129fbdbde6222c276da2","sha256":"bd3b1e09eca059acc8e0bbb505184eb2e25f7d41b27842fc776734881d4742df","sha512":"1757d06e3d6fcf45d5a48f8f6339866791fe4add35e57b447144d7b3bc7c7b25a851adda4b4abfdadc8dc7134f21016a79f7405bb79e50115dce6a8c93a59ef6","ssdeep":"24576:avufiMHLszpYKMLHl4XSjC3h+NeQo3QSlw:oFMHLsMl/CzsAw","tlshash":"db2523ae806d4dc1229501a12516783c14a5a07e8df2bc3db5a8df8dc29ff7b9ce90f5","first_seen":"2026-03-07T01:35:12.450999Z","last_seen":"2026-06-01T09:54:50.000032Z","times_seen":63,"resource_available":false,"data":null}},"time_used":759,"timings":{"blocked":92,"dns":33,"connect":12,"send":0,"wait":89,"receive":480,"ssl":41},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-03-15","alert":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","trigger":"pub-14c1504681d2427684ac1f489338d075.r2.dev/phantom-bypass2-mobile.gif","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-07-02","description":"Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type","reference":"https://en.wikipedia.org/wiki/GIF","rule":"SUSP_GIF_Anomalies","score":"60"}}],"urlquery":null}}]}