Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
09/01/2024, 07:05 UTC
General
-
Target
PortChecker.exe
-
Size
128KB
-
MD5
f9e1db23e7a2293a089963351994208d
-
SHA1
dd60e6052959bf6787e035ce4122f4b9f461ce14
-
SHA256
27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4
-
SHA512
7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e
-
SSDEEP
1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PortChecker.exe"C:\Users\Admin\AppData\Local\Temp\PortChecker.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\smss.exe/d C:\Users\Admin\AppData\Local\Temp\PortChecker.exe2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\smss.exe" CityScape Enable2⤵
- Modifies Windows Firewall
-
Network
-
DNSwww.maxmind.comRemote address:8.8.8.8:53Requestwww.maxmind.comIN AResponsewww.maxmind.comIN A104.18.145.235www.maxmind.comIN A104.18.146.235 -
GEThttp://www.maxmind.com/app/locate_my_ipRemote address:104.18.145.235:80RequestGET /app/locate_my_ip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.maxmind.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Tue, 09 Jan 2024 08:36:48 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 09 Jan 2024 09:36:48 GMT
Location: https://www.maxmind.com/app/locate_my_ip
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 842b5acd8d84dcff-LHR
-
GEThttp://www.maxmind.com/en/locate_my_ipRemote address:104.18.145.235:80RequestGET /en/locate_my_ip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: www.maxmind.com
ResponseHTTP/1.1 301 Moved Permanently
Date: Tue, 09 Jan 2024 08:37:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 09 Jan 2024 09:37:02 GMT
Location: https://www.maxmind.com/en/locate_my_ip
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 842b5b20c862dcff-LHR
-
GEThttps://www.maxmind.com/app/locate_my_ipRemote address:104.18.145.235:443RequestGET /app/locate_my_ip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: www.maxmind.com
ResponseHTTP/1.1 301 Moved Permanently
Date: Tue, 09 Jan 2024 08:37:02 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
location: http://www.maxmind.com/en/locate_my_ip
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 842b5b1f6a9506b2-LHR
-
GEThttps://www.maxmind.com/en/locate_my_ipRemote address:104.18.145.235:443RequestGET /en/locate_my_ip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: www.maxmind.com
ResponseHTTP/1.1 301 Moved Permanently
Date: Tue, 09 Jan 2024 08:37:02 GMT
Content-Length: 0
Connection: keep-alive
cache-control: no-cache, no-store
content-security-policy: base-uri 'self'; connect-src 'self' minfraud.maxmind.com static.maxmind.com status.maxmind.com *.mmapiws.com *.googleapis.com *.doubleclick.net https://api.hubspot.com https://forms.hscollectedforms.net https://forms-na1.hsforms.com https://forms.hsforms.com https://geoip.maxmind.com; default-src 'self'; font-src 'self' fonts.maxmind.com static.maxmind.com fonts.gstatic.com; form-action 'self' *.paypal.com https://forms.hsforms.com; frame-ancestors 'self'; frame-src 'self' *.paypal.com https://app.hubspot.com https://forms.hsforms.com www.youtube.com; img-src 'self' data: static.maxmind.com https:; object-src 'none'; script-src 'self' device.maxmind.com static.maxmind.com *.googleapis.com www.googletagmanager.com www.youtube.com https://js.hsforms.net https://js.hs-scripts.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hs-banner.com https://js.usemessages.com 'unsafe-inline'; style-src 'self' static.maxmind.com *.googleapis.com
content-security-policy: block-all-mixed-content; script-src 'sha256-mIN6atpCFE6wi11ouke1PkFs7z1RJWEbnR96xANQEQ0=' 'nonce-1zpQOInLT3G6Rh2m3/4PJA==' 'strict-dynamic'; style-src 'nonce-1zpQOInLT3G6Rh2m3/4PJA=='
expires: 0
feature-policy: accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; usb 'none'; sync-xhr 'none'
location: /en/locate-my-ip-address
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), ch-ua=(), ch-ua-arch=(), ch-ua-bitness=(), ch-ua-full-version=(), ch-ua-full-version-list=(), ch-ua-mobile=(), ch-ua-model=(), ch-ua-platform=(), ch-ua-platform-version=(), ch-ua-wow64=(), clipboard-read=(), clipboard-write=(self), conversion-measurement=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), focus-without-user-activation=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), join-ad-interest-group=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(self), run-ad-auction=(), screen-wake-lock=(), serial=(), shared-autofill=(), speaker-selection=(), sync-script=(), sync-xhr=(), trust-token-redemption=(), unload=(), usb=(), vertical-scroll=(), web-share=(), window-placement=(), xr-spatial-tracking=()
pragma: no-cache
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
CF-Cache-Status: HIT
Age: 7
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 842b5b212bdb06b2-LHR
-
GEThttps://www.maxmind.com/en/locate-my-ip-addressRemote address:104.18.145.235:443RequestGET /en/locate-my-ip-address HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Connection: Keep-Alive
Host: www.maxmind.com
ResponseHTTP/1.1 200 OK
Date: Tue, 09 Jan 2024 08:37:02 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 6856
Connection: keep-alive
cache-control: no-cache, no-store
content-encoding: gzip
content-security-policy: base-uri 'self'; connect-src 'self' minfraud.maxmind.com static.maxmind.com status.maxmind.com *.mmapiws.com *.googleapis.com *.doubleclick.net https://api.hubspot.com https://forms.hscollectedforms.net https://forms-na1.hsforms.com https://forms.hsforms.com https://geoip.maxmind.com; default-src 'self'; font-src 'self' fonts.maxmind.com static.maxmind.com fonts.gstatic.com; form-action 'self' *.paypal.com https://forms.hsforms.com; frame-ancestors 'self'; frame-src 'self' *.paypal.com https://app.hubspot.com https://forms.hsforms.com www.youtube.com; img-src 'self' data: static.maxmind.com https:; object-src 'none'; script-src 'self' device.maxmind.com static.maxmind.com *.googleapis.com www.googletagmanager.com www.youtube.com https://js.hsforms.net https://js.hs-scripts.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hs-banner.com https://js.usemessages.com 'unsafe-inline'; style-src 'self' static.maxmind.com *.googleapis.com
content-security-policy: block-all-mixed-content; script-src 'sha256-mIN6atpCFE6wi11ouke1PkFs7z1RJWEbnR96xANQEQ0=' 'nonce-8buEoHbjRmqp4sAabyEo1w==' 'strict-dynamic'; style-src 'nonce-8buEoHbjRmqp4sAabyEo1w=='
expires: 0
feature-policy: accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; usb 'none'; sync-xhr 'none'
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), ch-ua=(), ch-ua-arch=(), ch-ua-bitness=(), ch-ua-full-version=(), ch-ua-full-version-list=(), ch-ua-mobile=(), ch-ua-model=(), ch-ua-platform=(), ch-ua-platform-version=(), ch-ua-wow64=(), clipboard-read=(), clipboard-write=(self), conversion-measurement=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), focus-without-user-activation=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), join-ad-interest-group=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(self), run-ad-auction=(), screen-wake-lock=(), serial=(), shared-autofill=(), speaker-selection=(), sync-script=(), sync-xhr=(), trust-token-redemption=(), unload=(), usb=(), vertical-scroll=(), web-share=(), window-placement=(), xr-spatial-tracking=()
pragma: no-cache
referrer-policy: strict-origin-when-cross-origin
set-cookie: mm_session=532112fba30d181cb271b4464e694e47a5ef985f--b06942f650d3682ad9b6e007546de5d40d3c4eae3a1fb9ac8522a61a5fa0d1a0; Path=/; HttpOnly; Secure; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
CF-Cache-Status: BYPASS
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 842b5b218c3106b2-LHR
-
DNSfearrusty.no-ip.infoRemote address:8.8.8.8:53Requestfearrusty.no-ip.infoIN AResponse
-
104.18.145.235:80http://www.maxmind.com/en/locate_my_iphttp
HTTP Request
GET http://www.maxmind.com/app/locate_my_ipHTTP Response
301HTTP Request
GET http://www.maxmind.com/en/locate_my_ipHTTP Response
301 -
104.18.145.235:443https://www.maxmind.com/en/locate-my-ip-addresstls, http
HTTP Request
GET https://www.maxmind.com/app/locate_my_ipHTTP Response
301HTTP Request
GET https://www.maxmind.com/en/locate_my_ipHTTP Response
301HTTP Request
GET https://www.maxmind.com/en/locate-my-ip-addressHTTP Response
200
-
8.8.8.8:53www.maxmind.comdns
DNS Request
www.maxmind.com
DNS Response
104.18.145.235104.18.146.235
-
8.8.8.8:53fearrusty.no-ip.infodns
DNS Request
fearrusty.no-ip.info