netwire | 12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 03:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
Size

1.4MB
MD5

e7f2894d41d8904939cad9d2466bbbd9
SHA1

bae310f54a71bc4760baf290ba574df17fc1e29d
SHA256

12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead
SHA512

f83daac6787f850a811722e14b70023ac76d63f0e8ebbf9c7f5d7f02b9ee8b5ee4f56fb8aba2a098f82bb1e69ec780be305727a8abb34127ca58def9afd4b198
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYB:Fo0c++OCokGs9Fa+rd1f26RNYB

Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 11 IoCs

rat

resource	yara_rule
behavioral2/memory/3688-0-0x0000000000380000-0x00000000004EB000-memory.dmp	netwire
behavioral2/files/0x000a000000023b50-5.dat	netwire
behavioral2/memory/4360-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3688-25-0x0000000000380000-0x00000000004EB000-memory.dmp	netwire
behavioral2/memory/4208-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x000a000000023b55-32.dat	netwire
behavioral2/memory/32-33-0x00000000008B0000-0x0000000000A1B000-memory.dmp	netwire
behavioral2/memory/32-51-0x00000000008B0000-0x0000000000A1B000-memory.dmp	netwire
behavioral2/memory/4196-56-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1892-77-0x00000000008B0000-0x0000000000A1B000-memory.dmp	netwire
behavioral2/memory/4436-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1060-15-0x0000000000E30000-0x0000000000E4D000-memory.dmp	warzonerat
behavioral2/memory/1060-23-0x0000000000E30000-0x0000000000E4D000-memory.dmp	warzonerat
behavioral2/memory/1164-50-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/1164-42-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe

Executes dropped EXE 8 IoCs

pid	Process
4360	Blasthost.exe
4208	Host.exe
32	RtDCpl64.exe
4196	Blasthost.exe
1164	RtDCpl64.exe
1892	RtDCpl64.exe
4436	Blasthost.exe
4816	RtDCpl64.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3688-0-0x0000000000380000-0x00000000004EB000-memory.dmp	autoit_exe
behavioral2/memory/3688-25-0x0000000000380000-0x00000000004EB000-memory.dmp	autoit_exe
behavioral2/files/0x000a000000023b55-32.dat	autoit_exe
behavioral2/memory/32-33-0x00000000008B0000-0x0000000000A1B000-memory.dmp	autoit_exe
behavioral2/memory/32-51-0x00000000008B0000-0x0000000000A1B000-memory.dmp	autoit_exe
behavioral2/memory/1892-77-0x00000000008B0000-0x0000000000A1B000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 32 set thread context of 1164	32	RtDCpl64.exe	99
PID 1892 set thread context of 4816	1892	RtDCpl64.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blasthost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
4776	schtasks.exe
3500	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4360	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	86
PID 3688 wrote to memory of 4360	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	86
PID 3688 wrote to memory of 4360	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	86
PID 4360 wrote to memory of 4208	4360	Blasthost.exe	88
PID 4360 wrote to memory of 4208	4360	Blasthost.exe	88
PID 4360 wrote to memory of 4208	4360	Blasthost.exe	88
PID 3688 wrote to memory of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 3688 wrote to memory of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 3688 wrote to memory of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 3688 wrote to memory of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 3688 wrote to memory of 1060	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	89
PID 1060 wrote to memory of 2912	1060	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	90
PID 1060 wrote to memory of 2912	1060	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	90
PID 1060 wrote to memory of 2912	1060	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	90
PID 3688 wrote to memory of 3068	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	92
PID 3688 wrote to memory of 3068	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	92
PID 3688 wrote to memory of 3068	3688	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	92
PID 1060 wrote to memory of 2912	1060	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	90
PID 1060 wrote to memory of 2912	1060	12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe	90
PID 32 wrote to memory of 4196	32	RtDCpl64.exe	98
PID 32 wrote to memory of 4196	32	RtDCpl64.exe	98
PID 32 wrote to memory of 4196	32	RtDCpl64.exe	98
PID 32 wrote to memory of 1164	32	RtDCpl64.exe	99
PID 32 wrote to memory of 1164	32	RtDCpl64.exe	99
PID 32 wrote to memory of 1164	32	RtDCpl64.exe	99
PID 32 wrote to memory of 1164	32	RtDCpl64.exe	99
PID 32 wrote to memory of 1164	32	RtDCpl64.exe	99
PID 1164 wrote to memory of 4512	1164	RtDCpl64.exe	100
PID 1164 wrote to memory of 4512	1164	RtDCpl64.exe	100
PID 1164 wrote to memory of 4512	1164	RtDCpl64.exe	100
PID 32 wrote to memory of 4776	32	RtDCpl64.exe	102
PID 32 wrote to memory of 4776	32	RtDCpl64.exe	102
PID 32 wrote to memory of 4776	32	RtDCpl64.exe	102
PID 1164 wrote to memory of 4512	1164	RtDCpl64.exe	100
PID 1164 wrote to memory of 4512	1164	RtDCpl64.exe	100
PID 1892 wrote to memory of 4436	1892	RtDCpl64.exe	105
PID 1892 wrote to memory of 4436	1892	RtDCpl64.exe	105
PID 1892 wrote to memory of 4436	1892	RtDCpl64.exe	105
PID 1892 wrote to memory of 4816	1892	RtDCpl64.exe	106
PID 1892 wrote to memory of 4816	1892	RtDCpl64.exe	106
PID 1892 wrote to memory of 4816	1892	RtDCpl64.exe	106
PID 1892 wrote to memory of 4816	1892	RtDCpl64.exe	106
PID 1892 wrote to memory of 4816	1892	RtDCpl64.exe	106
PID 4816 wrote to memory of 4380	4816	RtDCpl64.exe	107
PID 4816 wrote to memory of 4380	4816	RtDCpl64.exe	107
PID 4816 wrote to memory of 4380	4816	RtDCpl64.exe	107
PID 1892 wrote to memory of 3500	1892	RtDCpl64.exe	108
PID 1892 wrote to memory of 3500	1892	RtDCpl64.exe	108
PID 1892 wrote to memory of 3500	1892	RtDCpl64.exe	108
PID 4816 wrote to memory of 4380	4816	RtDCpl64.exe	107
PID 4816 wrote to memory of 4380	4816	RtDCpl64.exe	107

C:\Users\Admin\AppData\Local\Temp\12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
"C:\Users\Admin\AppData\Local\Temp\12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4208
- C:\Users\Admin\AppData\Local\Temp\12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe
  "C:\Users\Admin\AppData\Local\Temp\12456bc19cefa8f33b1f653fa8d159d0cf697dd882f15fa941e7b9b8eb376ead.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3068

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4776

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3500

Network

DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

11.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.153.16.2.in-addr.arpa

IN PTR

Response

11.153.16.2.in-addr.arpa

IN PTR

a2-16-153-11deploystaticakamaitechnologiescom
DNS

131.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.31.126.40.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=01C07119B000684A38C16493B12769E5; domain=.bing.com; expires=Mon, 02-Mar-2026 03:51:23 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 428F58F627144BCEBF5B94802B4D1A92 Ref B: LON04EDGE0712 Ref C: 2025-02-05T03:51:23Z
date: Wed, 05 Feb 2025 03:51:22 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01C07119B000684A38C16493B12769E5

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=eeknrWVmjzGvDNqV3CWgDSTp6SMiEt7EY95nkmBMmA8; domain=.bing.com; expires=Mon, 02-Mar-2026 03:51:23 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EC2FD8166E3248FAAE715F3909F1241D Ref B: LON04EDGE0712 Ref C: 2025-02-05T03:51:23Z
date: Wed, 05 Feb 2025 03:51:22 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01C07119B000684A38C16493B12769E5; MSPTC=eeknrWVmjzGvDNqV3CWgDSTp6SMiEt7EY95nkmBMmA8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4BAA8CDAF0F74365AF58C08F0416EE7E Ref B: LON04EDGE0712 Ref C: 2025-02-05T03:51:23Z
date: Wed, 05 Feb 2025 03:51:22 GMT
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

22.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.49.80.91.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

Wealthy2019.com.strangled.net

Host.exe

Remote address:

8.8.8.8:53

Request

Wealthy2019.com.strangled.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response
DNS

wealthyme.ddns.net

Host.exe

Remote address:

8.8.8.8:53

Request

wealthyme.ddns.net

IN A

Response
DNS

wealth.warzonedns.com

RtDCpl64.exe

Remote address:

8.8.8.8:53

Request

wealth.warzonedns.com

IN A

Response

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

tls, http2

3.3kB
9.5kB
25
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2e224c3903d4f169dce1f7f7a59ab06&localId=w:B882D0B0-45F1-9538-0AB2-A1D709258A23&deviceId=6896210250709091&anid=

HTTP Response

204

8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

150 B
268 B
2
2

DNS Request

Wealthy2019.com.strangled.net

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

11.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.153.16.2.in-addr.arpa
8.8.8.8:53

131.31.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

131.31.126.40.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

112 B
148 B
2
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

10.28.171.150.in-addr.arpa

DNS Request

10.28.171.150.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

22.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

22.49.80.91.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

Wealthy2019.com.strangled.net

dns

Host.exe

75 B
134 B
1
1

DNS Request

Wealthy2019.com.strangled.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com
8.8.8.8:53

wealthyme.ddns.net

dns

Host.exe

64 B
124 B
1
1

DNS Request

wealthyme.ddns.net
8.8.8.8:53

wealth.warzonedns.com

dns

RtDCpl64.exe

67 B
140 B
1
1

DNS Request

wealth.warzonedns.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.4MB

MD5
c9aa1bc7fd2406c57e9d22abd1701339

SHA1
8677a00a7289cb1f52613eac66d53d25f5b7fb7e

SHA256
049a4053235e328da6a5731c2d2ee0164e93a7611519677d1fe599b3bba06207

SHA512
20fad8cbbb04c98bbc52c8ae7c1ffc5aa41c4281230aa8796bcd57c7e268882c66d2ae611182bcf5e522e1e9ac79b61831e4cad11b3de25c167914700cf6931e

Download Submit
memory/32-51-0x00000000008B0000-0x0000000000A1B000-memory.dmp

Filesize
1.4MB

Download
memory/32-33-0x00000000008B0000-0x0000000000A1B000-memory.dmp

Filesize
1.4MB

Download
memory/1060-15-0x0000000000E30000-0x0000000000E4D000-memory.dmp

Filesize
116KB

Download
memory/1060-23-0x0000000000E30000-0x0000000000E4D000-memory.dmp

Filesize
116KB

Download
memory/1164-42-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1164-50-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1892-77-0x00000000008B0000-0x0000000000A1B000-memory.dmp

Filesize
1.4MB

Download
memory/2912-26-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3688-25-0x0000000000380000-0x00000000004EB000-memory.dmp

Filesize
1.4MB

Download
memory/3688-14-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3688-0-0x0000000000380000-0x00000000004EB000-memory.dmp

Filesize
1.4MB

Download
memory/4196-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4208-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4360-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4380-79-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/4436-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4512-52-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads